Everyone knows Black Friday is the hottest day of the year for shopping, but not many realize that it’s popular for hackers, too.
In fact, Valimail data shows that, while you’re busy shopping, email scammers will be busy sending out fake emails.
These phishing emails are meant to trick you into clicking on a malicious link, opening malware, or picking up the phone and calling what you think is your credit card company — but which actually turns out to be a very persuasive and tricky fraudster.
Such fake email messages often impersonate trusted brands, right down to the email address shown in the From: field of their messages. That’s easy to do because, in most cases, the brands haven’t protected themselves against impersonation by using email authentication.
The Cyber Saturday Surge?
Data collected by Valimail during the week of Thanksgiving in 2017, using a representative subset of our customers, showed a dramatic rise in the number of fake emails sent that week.
On Tuesday November 21, 2017, the number of messages failing authentication jumped sharply to 4X its normal volume.
On Thanksgiving Day (November 23), it shot up to more than 7X. The rate of messages failing to authenticate fell back to 4X the baseline on Black Friday, and then hit an enormous spike of 12X the normal volume on Saturday, November 25.
After that, the flood stopped and the rate of unauthenticated email returned to its normal levels.
At its peak, the failing messages represented more than half of the messages Valimail processed on behalf of these customers on that day.
(Note: The vast majority of the fake messages Valimail detected during Thanksgiving week 2017 were rejected or quarantined based on the domain owner’s policy. That’s because the domain owners were Valimail customers, with correctly configured email authentication records at enforcement.)
What’s Behind All This Fake Email?
Normally, about 5 percent of the messages that Valimail authenticates on behalf of its customers will fail authentication.
This 5 percent baseline is fairly consistent over time and represents a combination of two types of email:
- Legitimate but not-yet-authorized email-sending services. Messages from these sources fail because the domain owners haven’t authorized them yet.
- Illegitimate email sources. These messages are sent by phishers attempting to impersonate a domain by using it in the From: field of their messages.
Earlier this year, Valimail analyzed the second type and found that, on average, there are 6.4 billion fake emails (illegitimate, unauthorized messages) sent worldwide every day.
Occasionally, however, the proportion of messages failing authentication spikes up. Sometimes that is due to various kinds of non-malicious testing done by domain owners, but that does not appear to be the case here.
It seems likely that the spikes in non-authenticated email over Thanksgiving week 2017 were due primarily to surges in malicious impersonation attempts.
Such attempts come from all over the world. The United States, Great Britain, Canada, and Vietnam are the leading sources of impersonation emails in our most recent studies.
And impersonation is on the rise. For example, according to Mimecast, email impersonation attacks increased 80 percent in the first half of 2018. Proofpoint research found that "over half of companies saw their own domain spoofed to launch an attack against their employees” in Q3 2018. And multiple sources have consistently found that email is the vector for 90 percent or more of all cyberattacks. For instance, 92 percent of all malware is delivered by email, according to a recent Verizon report.
Fraudsters use exact-domain impersonation because they know that most domains are easy to impersonate — since the owners of those domains haven’t used commonly available technical measures to protect themselves.
How Brands Can Stop the Fakes
If you get fooled by one of these fake emails in your inbox, it’s important to know that it’s not your fault. Many phishing emails are virtually indistinguishable from real mail, and when they use the From: address of a trusted brand, it gets almost impossible to tell the difference. That’s because most brands haven’t deployed email authentication.
But some have. These companies have deployed email authentication standards including SPF, DKIM, DMARC, and sometimes ARC and BIMI on the domains they own. (For an introduction to these standards, see “What Email Authentication Is — And Why It Matters.”)
Thanks to the near-universal support for email authentication among receiving mail gateways, unauthorized email using these domains won’t get through. Their messages will fail a domain authorization check done by the receiving mail server (Gmail, Yahoo! Mail, Microsoft O365, etc.), and they won’t be delivered.
With the increasing sophistication and quantity of phishing campaigns, it’s incumbent on companies to protect themselves — and their consumers — by authenticating their domains. To do otherwise is simply to leave their doors open and unlocked.
And, if last year is any guide, this Black Friday will see millions of would-be fraudsters walking right through those unlocked doors.
Top photo: Shoppers in a mall. Photo by N. Karim/Flickr