Anti-phishing warnings from the government miss the point – again
Nope. Still not hitting the target.
A criminal is sending out fake emails purporting to be from the Social Security Administration. They look and sound official, right down to the “ssa.gov” in the “From” field, but they’re not — they’re phishing emails aimed at convincing people to click on the scammers’ URLs.
Fake Social Security email, via the FTC.
The problem is bad enough that the Federal Trade Commission sent an alert about it yesterday. Unfortunately, the FTC’s warning continues a common fallacy around email phishing prevention — and misses a major opportunity to improve the situation.
As with so many phishing alerts, the FTC’s only recourse seems to be warning civilians to avoid clicking on suspicious emails.
This misses the point entirely:
1) A McAfee study showed 80% of people cannot correctly identify a fake email. So warnings are moot — most humans are probably not going to identify the emails correctly anyway.
2) None of these alerts emphasize the clear technical solution to domain spoofing (phishing) — email authentication. Email authentication doesn’t just warn people about these attacks — it eradicates the attacks entirely.
What the FTC and the SSA don’t seem to recognize is that there’s an accepted, open, global standard for email authentication (DMARC) that is highly effective, not just for the domain owner, but for their clients, partners, and consumers.
Getting email authentication right is not simple, but it is entirely possible. And it is cost effective for small and large organizations — especially when working with Valimail’s automated system.