Cybercriminals are exploiting uncertainty and fear around the COVID-19 pandemic, with phishing emails targeting individuals and institutions — utilizing spoofed identities to evade detection. This is an even bigger concern at a time when most people are working from home (WFH) — far away from direct IT support and with an even higher reliance on email.
Recently, for instance, the FBI warned people to be on the lookout for fake CDC emails and other coronavirus-related phishing attacks. Valimail has found evidence of threat actors sending email from domains that look like the CDC, such as cdc.agency. (The actual domain, cdc.gov, can’t be spoofed because it’s protected by DMARC at enforcement.) Attackers sending coronavirus-themed phishing emails and exploiting an open redirect on the Department of Health and Human Services’ website to spread malware. And the World Health Organization is warning people about scams where phishers have impersonated WHO officials.
Complicating the problem is the fact that companies suddenly have many employees working remotely, thereby increasing both the volume of email and the risk that someone who is stressed, tired, or distracted will click on a phishing email by mistake.
The response to these risks does not have to be complicated, but organizations need to take deliberate steps to ensure that they are protected.
Maintain good security hygiene, as usual, by mandating multifactor authentication (MFA) for email accounts as well as all corporate applications. This greatly reduces the risk of account takeover in the event that an employee does get successfully phished and clicks on a malicious link.
If your domains aren’t already protected by DMARC enforcement, now is a good time to prioritize that project. Keep in mind that simply publishing a DMARC record will give you visibility, if it’s correctly configured, but it won’t actually stop phishers from spoofing your identity until you configure an enforcement policy. You need to configure SPF and DKIM properly, and then configure DMARC with an enforcement policy to stop these damaging impersonations.
To help you get started, Valimail offers free DMARC visibility with Valimail DMARC Monitor, which can simplify the process for many organizations.
Build a layered defense
Look into solutions that protect against email attacks based on validating the identity of the sender, not just the contents of the message or its context (when it was sent, to whom, etc.). Content-centric email security solutions can often miss the most devious phish, which contain no malware or malicious links, but pretend that the sender has an existing relationship with the recipient and therefore can be trusted. It’s also important to not solely rely on traditional email protection that uses historical data (signature-based detection, social graphs, behavior, etc.) to detect and stop phish. In fact, over 80% of all phish use sender identity fraud as their attack vector, and over 2/3rds of daily phish have never been seen before. Those phish can only be effectively caught by solutions that validate sender identity.
Audit email-sending platforms and servers
The average enterprise uses dozens of cloud-based services for nearly every business and IT function under the sun. Many of those services are able to send email on behalf of the company, whether that’s a payroll system sending notifications to the staff or a marketing platform sending emails to prospective customers.
Companies we work with are constantly surprised to discover that there are two or three times as many services sending email on their behalf as they expected. If you find services that aren’t being actively used or which don’t actually need to send email, shut them off to prevent them from being used as a phishing conduit.
The same goes for email servers. Despite the shift to the cloud, Valimail has found that most companies we work with still have a few orphaned mail servers still actively sending out messages, sometimes in unexpected places, like that fax machine in your Hong Kong office. If mail servers aren’t being actively used for a legitimate business purpose, turn them off.
You can’t protect or control if you don’t audit your email ecosystem.
The role of training
Anti-phishing training is important, partly to teach people not to click on obvious phish, but also to educate employees about what to do when they receive an email that looks suspicious to them. Employees should never wonder what to do or how to respond when they see a suspicious message. Make it easy for them to report phish.
A related point: Provide a feedback channel for those reports. This can be as simple as an email address monitored by your IT team, or as complex as a cloud-based system that integrates into your email so employees can mark suspicious messages with the click of a button. Regardless of the method you use, you will want to collect these messages as an important confirmation of whether your existing defenses are working, what’s getting through them, and how you might need to adjust your defensive strategy or email policies.
Follow these five strategies, and your email infrastructure will be far safer from phishing attacks. You’ll be protecting not only your employees, but also your customers and partners, from one of the most commonly used vectors for cyberattacks. And you will be ensuring the safety and reliability of one of the most ubiquitous, robust, and effective means of communication available to businesses today: Email.
Find out more about how Valimail’s zero-trust email security platform can help protect your employees from phishing, BEC, and email identity scams.