Email is under attack. With no authentication built in to email’s core protocols, it has always been trivial for hackers to impersonate your CEO, your CFO, a trusted business partner, even government agencies.
This is a huge problem. Half the global population has at least one email account, and The Radicati Group estimates that 281 billion email messages are sent and received every day. That means hackers have an enormous attack surface to target, and they are doing just that. Phishing (usually using some kind of impersonation) is implicated in more than 90 percent of cyber attacks. Email allows attackers to target literally billions of people.
And for delivering malware, sending malicious links, snookering personal data out of people, or fraudulently convincing people to transfer corporate funds to the hacker’s accounts, email just works.
Quantifying the Fake-Email Problem
Data on the frequency of fake emails can be hard to come by. However, an analysis of a representative subset of the message authorization requests processed by Valimail provides a snapshot of one type of impersonation: The fake From: address.
Valimail Enforce, our email authentication automation solution, provides real-time responses to mail gateway requests for Domain-based Message Authentication, Reporting & Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) requests. We also collect and analyze aggregate reports generated by these mail gateways. Valimail processes many billions of messages on behalf of our customers, and as a result, we have a unique view of the fake email universe.
In the first half of 2018, about 96 percent of the messages processed by mail gateways on behalf of our customers passed DMARC (they were identified as legitimate users of their apparent sender’s domain name). Another 1.6 percent failed DMARC, meaning their senders were not authorized by the domain owner, but the messages originated from senders known to be legitimate. These DMARC failures are attributable to new customers who have not yet authorized all the cloud-based services that should be able to send email on their behalf.
The remaining 2.2 percent of messages in H1 2018 failed DMARC and come from senders we categorize as suspicious or “possibly malicious.”
Considering the enormous volume of messages, it would mean that 6.4 billion fake emails are being sent every day worldwide.
The Real Number Is Almost Certainly Bigger
Note: Valimail’s dataset is dominated by customers who have implemented DMARC at enforcement for months or years. Since we guarantee that our customers will get to enforcement, and typically take just a few months to get there, most of our customer base has a DMARC policy of “quarantine” or “reject.”
We have observed that as customers implement DMARC enforcement, the number of exact-domain impersonation attempts tends to fall off as attackers realize their messages are no longer being delivered. So this result almost certainly undercounts the rate of domain spoofing that most domains (those not protected by DMARC) will see.
We have noticed that fraud rates go up and down as attackers around the world launch new phishing campaigns or discontinue them. In our Email Fraud Landscape for Q1 2018, we reported that about 5 percent of total message volume in 2017 was suspicious and a whopping 1 in 5 messages in the month of October were fraudulent. The lower rate in the current report is not necessarily a sign of continuing progress but rather a temporary anomaly. We will learn more in future quarters as this number goes up or down.
In short, however, fake email is a significant problem.
Find out more about the world of fake email in our latest quarterly report, the 12-page Email Fraud Landscape for Q2 2018.