Emails are an essential method of communication for most organisations, in particular in the current business climate. It is thus no surprise that they have become a key channel exploited by cybercriminals as a means of targeting their victims. F5 Labs (the threat intelligence wing of the application service provider F5) have revealed that phishing incidents have increased by a staggering 220% during the Covid-19 peak period.
A very common type of attack are “Fake President” or “President Fraud” emails. In this type of phishing attack cybercriminals take advantage of an organisation’s domain to impersonate high level executives such as CEOs or CFOs. President Fraud emails typically convey a sense of urgency, pressuring employees to divulge sensitive information, click on malicious links or even pay fake invoices.
Here is an actual example (with changed name) of such a president fraud email:
In an email impersonation attack an attacker poses as a known or trusted person so that the email appears to come from them. They are a subset of phishing emails which also include emails that are sent from unknown or untrusted senders (such as from that wealthy uncle you had never heard of before).
Whilst Fake President emails have been causing the most havoc, there are many other forms of email impersonations such as pretending to be from a supplier asking for invoice payment or pretending to be from a client asking to just click on that link or fill out that form.
Emails that impersonate someone from your organisation are a risk to your own organisation - from your staff falling for them - as well as to your clients and business partners.
There are a number of different protections an organisation can put in place to reduce the risks from email impersonation:
If your domain is unprotected, it can be technically straightforward for a cybercriminal to send an email that pretends to come from your organization. For instance, if your domain is qwerty.com, a criminal can easily send an email which shows as coming from “[email protected]”. From your staff’s point of view, the email would appear to be genuine.
Implementing technical protections to your email domain makes it much harder for criminals to impersonate your organisation’s email address, reducing the risk of phishing happening internally as well as to your clients or other business partners.
This can be done by putting in place simple protection mechanisms, namely SPF, DKIM and DMARC, which provide additional security and prevent your domain from being impersonated and thereby abused for fraudulent activities.
Sender Policy Framework (or SPF) is an email authentication protocol that allows the owner of a domain to specify which mail servers they can use to send emails from their domain. The SPF record contains information on who is authorised to send emails on behalf of your organisation. If an unauthorised entity tries to send an email on your behalf, the receiving email server depending on the SPF record either rejects or marks the email as spam.
The DomainKeys Identified Mail (DKIM) is a standard designed to ensure that no alteration of email contents occurs during transit. The sending email server electronically signs the email to guarantee its authenticity. Some email service providers use their default DKIM to sign emails (eg. Gmail or Microsoft Office 365) while some needs to be enabled.
Domain-based Message Authentication, Reporting & Conformance otherwise known as DMARC provides an extra layer of security by instructing email servers of appropriate actions in the case an email does not pass SPF and DKIM authentication checks. With the DMARC policy in place, the incoming email is subject to both SPF and DKIM authentication checks. If the email passes either of the aforementioned checks the email is sent to the recipient inbox. Depending on the DMARC rules you can either reject or quarantine (mark as spam) all messages that fail DMARC checks.
DMARC also provides a monitoring mechanism where the receiving email server can be instructed to generate reports containing details of emails that failed authentication checks which are then sent back to the sending domain. Therefore by having DMARC implemented you will be able to detect and prevent fraudulent emails from being sent using your domain.
The good news is that you need not buy anything nor subscribe to any tool. You only have to configure this!
It would seem obvious for organisations to put these protections in place - but that is not the case as evidenced in this analysis on a random sample of 324 UK small businesses and schools conducted in March 2021:
Although most sample organisations have SPF configured, much fewer have DMARC implemented. Email security can significantly be improved by enforcing DMARC alongside SPF.
Moreover, configuring SPF and DMARC in such a way that enables an email server to reject suspicious emails (i.e. a strong SPF / DMARC policy) further reduces the risk and should therefore be enforced.
SPF and DMARC can be implemented with little effort while most email providers already have a basic DKIM protection in place. These policies go a long way in protecting your email infrastructure and ultimately your organisation.
Both of these mechanisms can be set up by publishing certain DNS (Domain Name System) records. They are a set of instructions that are published and publicly visible for all domains (such as qwerty.com). These records instruct servers on how to interact with your domain. SPF and DMARC records provide information on how to handle emails sent using your domain.
Usually, the IT administrator publishes the required SPF, DKIM and DMARC records to the DNS server through your hosting provider (a service provider that enables you to set up websites on the internet. For example, Cloudflare, GoDaddy etc.).
Even though these protections are not fool-proof they can make your domain less susceptible to impersonation attacks or email fraud.
At Bewica, we are committed to helping your organisation implement core security. Our email security tool checks the status of your DMARC and SPF configuration and helps you implement missing protections. For more information on the features available on the Bewica platform, visit www.bewica.com/features or contact us on [email protected]
Don’t wait for an attack to happen. Sign up for a free trial of Bewica today to start protecting your organisation from cybercriminals.