There is one unifying factor common to 89% of phishing scams: The sender of the email almost always hides behind a fake identity, typically impersonating a brand or a specific person to trick users into trusting the message. This is why verifying and validating sender identity is so integral to the fundamental mechanisms and advancement of email security.
Let’s dive into the three fundamentals you need to understand about sender identity and the role it plays in phishing.
1. What is sender identity?
Sender identity, aka who sent the email: Email sender information in the “From” field includes the sending domain name, email username, and sometimes the name of the person or generic account that the sender ties to this account, such as “John Smith” or “Amazon Tech Support.”
2. What’s the problem?
To date, the security industry has struggled to keep the lid on email fraud because it’s focused so heavily on understanding the content of email. But the more we double down on filters, link blacklisting, and other forms of content-based controls, the more the bad guys come up with new content variations that bypass these filters.
And yet, most companies are not putting enough focus on strong sender identity policies — despite the fact that deceptive identity is the primary technique used by phishers.
This mismatch between threat and response allows the majority of phishing attacks to reach users’ inboxes.
3. How is sender identity used to manipulate recipients?
It’s surprisingly easy for attackers to manipulate the identity of an email. There are three ways this can be done: exact-domain spoofing, lookalike domains, and open signups.
With exact-domain spoofing, attackers appear as legitimate senders coming directly from the company’s own domain. In other words, they simply put an actual company email address in the “From” field of the phishing message. For most domains, this will be delivered in exactly the same way a legitimate message is, no matter where it was actually sent from.
Attackers don’t necessarily have to spoof the exact domain to hit their target. Many use lookalike or cousin domains to get a “close enough” counterfeit of a brand or person’s email identity. For example, they may be able to trick plenty of users simply by registering something like w1dgets.com or wdgets.com to pass off as widgets.com.
This frequently works because of the way humans process information — filling in numbers and letters smoothly and unconsciously when they scan a word with missing or transposed letters.
Open signups that use a recognizable name
Another effective and simple method attackers use to fake sender identity is the open-signup attack. Also known as a “friendly-from” attack, this technique uses a generic email account on any number of trusted cloud email providers, while assigning a “safe” looking fake display name to that address.