CNBC: Major organizations vulnerable to email spoofing
Without DMARC enforcement, anyone can send a spoofed email that looks convincingly like it came from you — right down to the “From” field in the header.
Even if you’re the President of the United States.
This fact is demonstrated vividly in this short news story on CNBC, featuring Valimail’s VP of research (and communications) Dylan Tweney.
In the video, Tweney demonstrates how easy it is to send a fake email that looks like it was sent by the President, simply by putting “whitehouse.gov” into the From field of the message. And the email goes right to the inbox of CNBC reporter Andrea Day.
You can’t do this with Gmail, but it’s surprisingly easy to send a fake email from anyone to anyone using a variety of free or open-source tools available online, or by writing some simple code you can run on your webhost.
As Tweney notes, “This really comes from the real Whitehouse.gov domain.”
Domain spoofing happens
While spam traps may prevent such domain-spoofing messages from getting to your inbox, there’s no guarantee. And if they do land in your inbox, they may well be virtually indistinguishable from legitimate messages sent by the owner of that domain.
The usual advice about being careful what you click on and examining email messages carefully for inconsistencies apply, of course. But with this kind of phish, you really have to count on your company and other companies to implement technology measures that prevent impersonation from happening in the first place. And that means DMARC — with enforcement, and without errors.
“If they’re not using it fully correctly, spoofing can still happen,” Tweney notes.
Out of all email volume, Valimail has found that 2-5% are sent from impersonated senders (aka domain spoofing).
The problem with DMARC enforcement
Why aren’t more organizations protecting themselves with DMARC? For companies contemplating DMARC enforcement, they first need to ensure that every legitimate service they’re using to send email is correctly authorized. That’s where most organizations get hung up. Because they can’t identify all the services with 100% confidence, they’re afraid of moving to a policy that might block those legitimate senders.
To get around that problem, you need a solution that provides complete, accurate, granular visibility — like Valimail DMARC Monitor (which is free to try).
CNBC notes that most US government domains are now using DMARC at enforcement on their domains, thanks to a directive issued by the Department of Homeland Security in 2017.
But, as CNBC reporter Andrea Day observes at the end of this video, “It appears whitehouse.gov is still not in compliance with that directive.”