Email’s identity crisis
Email is having an identity crisis. Although the first email was sent almost 50 years ago, the standards for Internet email never evolved to include robust sender identity validation.
As a result, for most email messages, it’s difficult or impossible to tell who (or what) really sent it to you.
And while existing enterprise security solutions do a good job of catching email that contains malware or links to known bad domains, it’s far less effective at validating sender identities.
This is a weakness that attackers have been exploiting — ruthlessly. Barracuda recently reported that 83% of all phishing attacks are brand impersonations, and another 6% are impersonations of people. That means that nearly 90% of phish is based on impersonation of one kind or another.
The rise of BEC
This weakness also accounts for the rise of business email compromise (BEC), a type of attack that’s uniquely predicated on fake identity, and which the FBI estimates accounts for $26 billion in losses over the past three years. With BEC attacks, the core deception is about the identity of the sender. Such attacks might involve a compromised account and/or malware at some point, but the core of the attack is based on impersonating a trusted brand (your bank, or a vendor you regularly work with) or a trusted individual (your CEO or CFO) in order to get you to transfer money into the attacker’s hands.
There are ways to fight these impersonations with more robust sender identity solutions. For example, with DMARC (Domain-based Message Authentication, Reporting, and Conformance) and related authentication standards, domain owners can publish text files in the Domain Name System (DNS) specifying policies for how mail receivers should handle unauthenticated email that appears to come from their domains.
The latest DMARC data
DMARC usage is exploding, but there is still a long way to go.
Valimail’s Summer 2019 Email Fraud Landscape report shows that there’s been a 5X increase in the number of DMARC records worldwide over the past three years.
However, DMARC is usually not deployed with an enforcement policy (one that directs mail receivers to keep unauthenticated email out of recipients’ inboxes). Less than 17% of the 850,000 domains with DMARC records are currently at enforcement. The rest have DMARC, but without an enforcement policy, which means that fake email messages that appear to come from those domains are still getting through.
Even with large enterprises, the percentage of DMARC records that are configured to enforce (block) fake email is only slightly higher. Overall, only one in five large enterprises that have DMARC records have configured them to an enforcement policy.
The low success rates are a reflection of the difficulty that large enterprises have in successfully configuring DMARC. It is easy to get to enforcement with a domain that you don’t use to send email — you just configure SPF to reject all senders, and create a simple DMARC record with a “reject” policy. However, for domains that are actually used to send email, it takes a lot of tedious work to figure out which sending services need to be whitelisted. The fear of blocking good (legitimate) email keeps a lot of domains from switching to enforcement, and thus they remain vulnerable to bad (fake) email messages.
Valimail’s ongoing research shows how the fight against fake email is progressing worldwide, in a variety of industry categories. Nevertheless, it’s clear that robust sender identity solutions are needed to end this identity crisis for email.
For the full story, download our free Email Fraud Report for Summer 2019.