Categories
Dmarc as a Service

Email Fake Senders: How Bad Is Fake Sender Identity Issues?

Learn how attackers use fake email senders to impersonate your brand to maliciously target your business, employees, partners, and customers.

For years, secure email gateways have played a cat-and-mouse game with phishers, countering email attacks by constantly scanning for malware, viruses, bad links, and poor sender IP reputations. That has worked reasonably well—until now.

Unfortunately, many email attacks are now malwareless, and the attack vector has shifted to faking sender identities. Most phishing attacks are brand impersonations, but some do impersonate specific people. In other words, about 9 out of 10 phishing attacks now use fake sender identity.

The Problem: Fake Sender Identity

Cybercriminals spoof unsecured domains to send phishing emails to employees, customers, and partners. These messages look like they came directly from the impersonated domain and often pass right through most secure email gateways because they have none of the bad content or other characteristics that the secure email gateway can detect.

For example, the World Health Organization issued warnings that scammers were impersonating the organization’s officials with emails that appeared to come directly from the WHO’s own domain. This story from Vox explains how coronavirus scammers send fake emails from real domains, and why it’s so easy for them to get away with this.

It’s so easy to impersonate sender identity from an unsecured domain that literally anyone can send a fake email. There are various free tools available on the internet for anyone to fake any open domain’s identity, and it’s also simple to launch spoofing attacks at scale with just a few lines of PHP.

Why Emails from Fake Senders Get Through

Messages with fake sender identities often raise no red flags and pass right through most secure email gateways, particularly if they lack malware or identifiable links. Business email compromise (BEC) messages often use this approach, avoiding malware that might trigger an SEG to block the message while taking advantage of the implicit trust that people tend to place in email messages that appear to come from their employer or someone they do business with.

When these messages utilize exact-domain spoofs, no amount of training can help as it is impossible to tell the good email from the bad.

Exact-domain attacks are the messages that use your domain name in the From: field but are not originating from your organization or one of the cloud services you’ve authorized. Because companies today tend to have many cloud services, and most of those need to send email on their behalf, some messages coming “from” your domain are legitimate—they were sent by your HR tool, marketing automation service, or CRM.

Other messages are unknown in origin. And some may even come from a malicious sender trying to impersonate you.

The Consequences of Fake Sender Identity

The risks are obvious when attackers use your organization’s emailing domain to phish your employees. Employees may be duped into thinking that the messages come from their boss, the CEO, or even someone in IT, and then click on links, enter passwords onto malicious sites, or install Trojan horse software.

But it’s also a problem when those messages are sent to recipients outside your organization:

  • Customers and partners who learn they have been phished will stop trusting your brand
  • Messages will get flagged as spam
  • Legitimate emails won’t get delivered

Most organizations don’t see the problem until someone lets them know about a phishing email they received. When these spoofed emails are being sent to partners or customers, that notification may never happen, and if the company is not monitoring how its domain is being used, it will never know.

How to Spot the Fake Sender Identity Problem

Some organizations are more proactive and start the process of monitoring their domain using DMARC’s reporting capabilities. This gives them visibility into how their domains are being used for email— regardless of whether recipients are inside the company.

In monitoring mode, we set a DMARC policy of p=none, which allows all outbound traffic to arrive at its destination uninhibited. Mail receivers then send daily reports to the address listed in your DMARC record, aggregating information about what senders were using your domain and whether they passed the authentication rules you set up in SPF or DKIM.

DMARC aggregate reports are a rich store of data, but they can be difficult to parse. Valimail Monitor aggregates these reports and displays them in an intuitive, graphical format that makes it easy to see trends over time. Monitor also helps because, unlike other DMARC tools, it doesn’t present inscrutable lists of IP addresses — it translates those into readable, named senders, so you can see exactly which cloud services are sending on your behalf. Try it for free.

Asset-ProductVisuals-Monitor

How Valimail Simplifies DMARC Visibility

Valimail lets you see at a glance the total number of messages sent “from” your domain, how many passed authentication with DMARC, how many failed, and how many came from suspicious senders.

The number of emails appearing in the “Suspicious emails” column is surprisingly large for most unsecured domains. For example, an insurance company using Valimail discovered half of its outbound emails were coming from suspicious sources.

number of fake emails

Valimail Enforce shows the total number of suspicious emails sent “from” a customer’s domain.

Stop Fake Email Messages from Your Domain

Another Valimail customer started by monitoring their domain to identify all the services sending email from the domain and validated the ones they wanted to keep.

Once the institution validated all the sending services they wanted to keep, they moved their DMARC policy from monitoring (p=none) to a quarantine enforcement policy (p=quarantine). This quarantine policy told the receiving mail providers to put any unvalidated messages into their recipients’ spam or junk mail folders.

Within two months, the financial institution had identified all the services they wanted to approve, updated DMARC records and DNS using Valimail’s automated solution, and were ready to turn their enforcement policy to p=reject, which instructs receiving mail providers to delete unvalidated messages completely.

dmarc policies

Once at p=quarantine or p=reject, attempts to spoof the domain typically taper off as attackers realize that their spoofed messages aren’t getting through to inboxes anymore. In other words, the volume of domain spoofing declines once you implement DMARC enforcement.

Reaching DMARC enforcement requires careful work to ensure no good email gets blocked. The process can be painful without excellent visibility and automation.

Start your journey towards identifying and blocking fake senders using your domain: Set up Valimail DMARC Monitor. It’s free, takes five minutes, and has zero impact on your email flow.