Jun 8, 2016

What Uber can teach banks — and other enterprises — about email security

Bank-Vault

Old bank vault door. Photo credit: John W. Iwanski/Flickr

Phishing scams are costing American businesses big bucks. A recent FBI report (.pdf) notes that the FBI received more than 7,800 complaints about email scams in 2015, with total reported losses close to $250 million for the year.

Monetary losses are only part of the problem. Phishing can lead to data breaches, too, with over 900 reported data breaches caused via phishing, according to a recent Verizon report.

And banks are a particularly big target. According to a recent article by Penny Crosman in American Banker, 91 percent of all malware attacks aimed at banks are delivered through phishing.

While it’s not a bank, Uber has a lot to teach banks — and other big organizations — about how to manage that threat.

Uber, as the world’s largest ride-sharing startup, is naturally a big target for the hackers and scammers who run phishing operations. And the company’s head of technology, Chris Cravens, told American Banker that the company saw as many as a million attacks in a single day — until recently.

The Uber story is a great example of the power that properly configured and enforced DMARC has to shut down phishing attacks. Since setting up DMARC and configuring it to quarantine and reject non-authenticating messages, Cravens said that the number of phishing attacks Uber is seeing has dropped “precipitously.”

Uber used Valimail to identify and fix non-authenticating services, configure DMARC, and to get around the built-in limitations of DMARC and its associated standards, such as the number of SPF lookups that can be checked at one time. That’s important for a company like Uber, which utilizes a long list of third-party services, all of which need to be authenticated to send email on Uber’s behalf.

Valimail has seen its clients block up to 99% of exact-domain phishing attacks (the most common attack vector), when correctly configured. Unfortunately, DMARC is rarely configured correctly and set to enforcement mode. A recent survey of the Fortune 1000 shows that even companies with near infinite tech resources — and which have DMARC vendors advising them — only get to enforcement 23% of the time.

Is email authentication correctly configured for your domain? Check it out with the free domain-checking tool at valimaildev.wpengine.com.

Subscribe to our newsletter