Why credit companies and the IRS won’t send you email
Love it or hate it, email is the most ubiquitous channel for communication ever invented (apart from the telephone), reaching half of the humans on the planet today.
Yet many companies and government agencies will tell you that they never use email, or at least that they will never send you a message out of the blue.
Why? Because they don’t want you to get fooled by fake emails.
- The IRS warns taxpayers that it “doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information.”
- Credit card companies send paper notifications, not emails, to let customers know that their data has been compromised in a hack.
- In the week after it disclosed that hackers had taken the personal information of 143 million consumers from its databases, Equifax set up a custom website to publish information about the hack. It also said it would be sending paper mail to each of these customers. But it didn’t send emails.
Why are companies like Equifax and organizations like the IRS still using an 18th-century technology in the era of ubiquitous Internet access, when everyone and everything seems to have an app, and when half the planet has access to email?
The answer is simple: You can’t trust emails from these organizations. Even though the technology to authenticate emails has been around for years and is supported by 76 percent of the world’s email inboxes, only about 0.5 percent of the world’s one million most-popular domains have deployed it.
Neither equifax.com nor its crisis-response website domain (equifaxsecurity2017.com) are protected by email authentication, which means that it’s trivially easy for hackers to impersonate the company by pretending to be its CEO, CFO, privacy officer, customer service desk, or any other role. All they have to do is craft a plausibly realistic email and put “firstname.lastname@example.org” in the From field.
(Actually, Equifax did start sending emails to consumers, but not until several weeks after the incident hit the news. When it did so, it sent messages from one of its subsidiary domains, trustedid.com, and as security journalist Brian Krebs pointed out, those messages looked a lot like phish.)
IRS.gov is not protected by email authentication either — while it does have a DMARC record set, its policy is not set to enforcement. That means emails that fail authentication (because they weren’t actually sent by the IRS) will continue to be delivered, just like legit messages.
That’s unfortunate, because every year around this time, the IRS warns people to watch out for W-2 scams, in which some outsider pretending to be an executive at a company emails the CFO or someone in accounting, requesting that they send over W-2s for all company employees. Do that and you could be delivering W-2s — including social security numbers, addresses, and salary information — right into the hands of hackers.
In the wake of large cyberattacks many attackers take advantage of this kind of weakness. For instance, after the big Target attack in 2013, when the CEO was emailing affected customers, hackers were launching their own phishing attacks. As NPR reported, “there were look-alike emails going out to some consumers posing as a warning from Target. Some of those emails asked consumers to protect themselves by clicking on a link.” Needless to say, that link was a malicious one that could lead to further consumer damage.
In the week after the Equifax breach hit the news, scammers got busy and registered at least 194 Equifax-like domains designed to entrap consumers who typed in the wrong address, or who weren’t paying attention when they clicked on a link. Scammers won’t use these domains as return addresses in their emails, because they can just use Equifax.com for the From addresses. But these domains could host malicious websites which those emails would link to.
So it’s smart for Equifax to tell people that it won’t be sending them an email. Its emails are simply too easy to fake, and the fake emails would lead to further damage for consumers.
But it doesn’t have to be this way.
Right after the Equifax news broke, another financial services company, one of Valimail’s customers, also reached out its clients. (It was not affected by the Equifax hack.) But this company didn’t send snail mail: It sent customers an email.
That’s because its domain is protected by email authentication at enforcement. As a result, its customers — and indeed anyone on the Internet — can be sure that any messages that appear to come from the company’s domain were actually authorized by the company.
Unfortunately, snail mail is neither efficient, cost-effective, nor timely. Because of its lack of authentication, many companies and government organizations are forced to downplay one of the most widespread and effective communications media in the world.
Want to know how to enforce email authentication on your domain? Contact us.
Top photo: Pile of mail by Judith E. Bell/Flickr