Anatomy of a Phishing Scam
Phishing attacks are on the rise, and they’re getting more effective, according to a recent report from Verizon.
Verizon found that 30 percent of people who received phishing emails actually opened them, up 7 points from last year, and that 13 percent of those who open a phishing email will click to open an attachment.
It’s no wonder that phishing has been the cause of data leaks and breaches all over the place, affecting banks, retailers, universities, and even the U.S. Internal Revenue Service.
Phishing is a hacker’s term for tricking someone via a false identity, usually through email, with the aim of getting them to install malware or to give up personal information, such as account numbers, social security numbers, or passwords.
It’s an email-centric attack vector thanks to the ease with which scammers can impersonate others through messages with fake return addresses. Phishing can include spear phishing, which is aimed at a carefully selected target, as well as broader-based attacks aimed at large numbers of people in the hopes that some percentage of them will fall for the scam.
This form of fraud actually has two victims: The person who the hacker is targeting, and the person or company whose reputation is being abused by being impersonated.
In other words, if you get a fake email that appears to be from your bank, and it tricks you into giving your account credentials to some scam operation in Russia, you are a victim of fraud — but your bank is also a victim, because the hackers have hurt its reputation and made it less likely that you’ll ever trust an email from the bank again. That’s not just hypothetical: A 2007 survey by Cloudmark showed that 42 percent of people felt that their trust in a brand would be “greatly reduced” by a phishing email pretending to be sent by that brand.
Unlike other forms of hacking, most phishing attacks require no access to the servers, personal computers, or mobile devices of either party.
There are a few ways an email phishing scam can happen. We’ll list them from least likely to most likely:
- Account compromise. A hacker somehow manages to get the password of someone at the target institution (say, the bank) and uses it to send out email from the bank’s servers. This is quite rare, due to the difficulty of getting email passwords. Also, even if the hackers were to get an email account, they would still only be able to send a handful of messages; most personal mail accounts aren’t set up to deliver millions of messages at a time, which is how phishing scams work.
- Configuration problem. Say the bank has a partner, such as a mailing list service provider, which is authorized to send bulk emails on the bank’s behalf. If there’s a configuration problem in the partner’s servers, it might make it possible for hackers to use those servers to send out their own bulk mails. Still, once the problem is discovered, this kind of attack can be shut down, which is why it, too, is fairly rare.
- Phishing mail servers. In the most common scenario, the scammers don’t bother hacking into anyone’s servers. They impersonate the sender (a company or person), and simply start sending out messages with bogus From: addresses. In the case of phishing, it’s a numbers game: The more messages you send out, the greater the likelihood of snaring someone. Spear phishing is more targeted and mail volumes are lower. Either way, if the email messages look legitimate enough, a few people might click on them and hand over critical information — and that’s all the scammers need.
Compared to approaches 1 and 2, it’s surprisingly easy to set up an email scam using your own servers. In many cases, because domain owners haven’t set up email authentication, the receiving email servers are unable to determine whether an email is being sent from the owner of the ‘From’ address, so the scammers can put whatever they like in the From field.
Even when there is checking, through authentication standards like SPF and DKIM, it may still be possible to put a legitimate email address in the fields checked by these standards, but have something completely different in the From: field that the recipient sees.
And worse, the corporate victim of the fraud — the bank, in our example — may have no idea that the scam is happening until it’s way too late. Because the emails don’t go through the bank’s servers, and may not be sent to any of the bank’s employees, the bank will only hear about it if a customer or partner complains.
Or, worse, the bank may hear about it when its domain name suddenly winds up on an email blacklist, because it’s been associated with spammers. Suddenly all email with the bank’s domain name, legitimate and illegitimate, is getting flagged as fraudulent. Then the bank’s IT people will need to take steps to dissociate themselves from the scam servers and get the bank’s legitimate servers whitelisted again.
Fortunately, there is an email authentication standard, DMARC, that solves these problems. It does so in several ways:
- DMARC ensures that the address shown in the From: field that recipients can see actually matches the domain name or the sender validated by SPF or DKIM. This eliminates the ability for scammers to create an SPF- or DKIM-validating domain, but then hide behind a bogus From: address that doesn’t match.
- DMARC is widely accepted by most major email service providers, such as Gmail, Yahoo! Mail, AOL, and Microsoft Outlook. If a company is using DMARC to authenticate mail sent from its domain, these service providers will check inbound emails to make sure they authenticate properly. If they don’t, they will get trashed, put into a spam folder, or displayed to the user with a warning.
- DMARC provides a feedback loop so senders can parse the data to uncover how well their email authentication is performing — and take corrective actions. If a daily report shows a huge spike in messages failing authentication, they can track down the culprit. Or, maybe it turns out that some messages are failing to authenticate — but they are being sent by a legitimate partner of the company that should be able to send mail on its behalf. DMARC reports can provide the raw data needed to discover these issues.
DMARC stops phishing attacks cold, but implementing DMARC can be tricky, due to the complexity of the standard and some built-in limitations. Also, DMARC reports are huge and complex, and can be difficult to interpret.
Valimail automates and manages the process of setting up and maintaining DMARC authentication for your domain, through its patent-pending email authentication as a service. And it provides a human readable dashboard to provide clear and actionable data.
Want to see if your domain authenticates properly? Use our free email authentication test tool.
And contact us at firstname.lastname@example.org if you’d like to learn more.