Email is far from dead. According to estimates, more than 196 billion emails are sent each day and it remains one of the most ubiquitous and cost effective communication mechanisms that exist. However, as email volumes continue to grow, so do the associated risks.
The fundamental flaw
It is an unfortunate truth that email was created with a fundamental flaw. With no authentication built-in, anyone can send an email using someone else's identity. Cyber-criminals use many tricks, but one of their favourites is to utilise the design defects in the basic architecture of the Internet to send email from what looks like a legitimate domain. This is usually a “.com” return address that seems identical to those used by reputable businesses. Unfortunately, “spoofing” these domains is relatively easy to do.
With email now being an integral channel for brands to communicate with customers, perpetrators of cyber-crime are increasingly taking advantage of a brand's trusted reputation to commit fraud and target customers with spoof emails that appear to be legitimate. The danger for brands is that after a customer has experienced a phishing threat, they are less likely to interact with the brand again, which has a direct impact on both financial performance and customer trust. While businesses have often focused on defending their internal corporate network from phishing attacks, it's now become clear that they need to start looking at ways to protect their most important asset – their customers.
The good news is that open standards have been developed to prevent email from being used as an avenue of attack. DMARC (Domain-based Message Authentication, Reporting and Conformance) has rapidly emerged as the most prominent standard for checking the authenticity of email and enables organisations to introduce a monitoring policy that provides a clear picture of the email ecosystem.
DMARC was created to address some fundamental problems with existing email authentication technologies (SPF and DKIM). It provides feedback about an organisation's email authentication implementation and gives Internet Service Providers (Google, Yahoo!, Microsoft, AOL, etc) and recipients guidance about what to do with email that is not authenticated. Only then is it possible for organisations to get their house in order by ensuring any third party vendors are authenticated senders. It will also allow them to start identifying criminals that are spoofing domains to send spam, malware or phishing emails with malicious intent and to introduce policies that automatically reject unauthentic emails before they even reach the inbox.
In a digital age, businesses have an obligation to play a proactive role in breaking the vicious cycle of attacks that plague brands and consumers across the Internet. Brand-conscious companies who are determined to secure their most frequently used communication channel are already rapidly implementing DMARC.
The end result is a repeatable and scalable way for savvy brands to combat email vulnerability and remove the risk of an infected email ever reaching the intended recipient – their customers. Those businesses that take this responsibility seriously and secure their email channel will soon benefit from greater consumer trust, fewer fraud losses, less operational overheads and a significantly reduced chance of hitting the headlines for all the wrong reasons.
Contributed by Patrick Peterson, CEO of Agari