It’s hard to overstate the impact of COVID-19 on the email landscape. Marketers have leveraged the email channel to communicate with subscribers more than ever before. Volume has skyrocketed and, as covered in our June State of Email webinar, there’s no sign of slowing down. It should come as no surprise that nefarious characters have been emboldened by the crisis and are getting in on the action. Scammers and spammers have capitalized on the uncertainty of the pandemic and influx of email to launch domain spoofing attacks, which increased by 220% compared to the yearly average during the height of the pandemic. Though spoofing isn’t a new strategy (in fact, it’s been around since the 70s), it has exploded into a global security threat in recent years.
What is spoofing?
The definition of spoofing is the forgery of legitimate email. Although it sounds simple, it is actually a very complicated issue that can stump even the most experienced email marketer. A quick Google search reveals various types of spoofing attacks and how they’re orchestrated. These attacks come in many forms, including IP and domain spoofing, phone number spoofing, GPS spoofing, and more.
Domain spoofing tends to be the most prominent. In domain spoofing attacks, scammers leverage an existing brand’s reputation to trick unwitting subscribers into providing sensitive data. They gain access to subscribers’ personal data by deceiving them into engaging with messages, opening compromised attachments, and clicking on links. Ultimately, each type of spoofing attack has the goal of impersonating a legitimate source to gain access to sensitive information, commit fraud, and/or spread malware.
What kind of impact does spoofing have?
It’s reported that 90% of cyberattacks start with an email, which means it’s our job as email marketers to protect our subscribers like family. Of course, spoofing attacks don’t exclusively harm consumers; there are long-term implications that can be devastating to the brand, as well. The loss of brand reputation, subscriber trust, deliverability issues, and revenue is only the surface of damages caused by spoofing attacks.
Loss of brand reputation and subscriber trust. Subscriber trust is essential for any successful business. As a result, it’s common for spoofed messages to bear logos, branding, and other visual cues that mimic a legitimate brand. This makes the subscriber more comfortable, increasing the likelihood they will provide personal information. More than ever, as an exchange for providing sensitive information, subscribers expect brands to take every step to ensure safe and secure online interactions. Failure to do so may have dire consequences – according to the InfoSec Institute, a technology training company specializing in digital privacy and security, customers are 42% less likely to engage with that organization in the future.
Deliverability. We would be remiss if we didn’t mention the potential impact of spoofing and phishing on email deliverability and inbox placement. As mentioned above, customers are less likely to open legitimate messages following email fraud, and mailbox providers (MBPs) may not deliver messages to the inbox. Validity’s data suggests that on average, inbox placement rates dropped 10% at Gmail and 7% at Yahoo following a spoofing attack. The same study found that read rates dropped by 18% at Gmail and 11% at Yahoo post-attack. Thus begins the cycle of lower subscriber engagement and a poor reputation with the MBPs.
Loss of revenue. Spoofing and phishing attacks can also come with significant financial consequences. According to the 2019 Thales Access Management Index, domain and website spoofing was responsible for $1.3 billion in losses in a single year, making it critical for marketers to understand the risks of spoofing and the ways it can be prevented. This figure increases when considering the internal-business costs, such as resources to investigate and manage the crisis, system and security updates, and additional training.
How can you avoid spoofing?
Email authentication is critical in identifying and addressing spoofed messages. Authentication refers to techniques that provide verifiable evidence that an email originates from a legitimate source – it is email’s way of proving the message comes from who it claims to come from by validating domain ownership. The following authentication protocols are the top three ways to avoid spoofing attacks:
- Sender Policy Framework (SPF): SPF records list which IP addresses are authorized to send email on behalf of domains. SPF helps mailbox providers and filtering systems recognize the difference between forged and legitimate email. SPF checks are run based on the path the email took to get from its origin to its destination.
Unfortunately, SPF authentication has a few pitfalls in terms of validating the message source. For example, SPF breaks when a message is forwarded. It does nothing to protect brands against cybercriminals who spoof the display name or Friendly-From address in their message (the most visible address for recipients). This is where DKIM comes in.
- DomainKeys Identified Mail (DKIM): DKIM is an authentication protocol that adds a digital signature to every sent email message. The signature is a header added to the message and secured with encryption. MBPs and receiving servers use DKIM to determine whether the message was changed or altered during transit. When a message has been signed using DKIM, MBPs that successfully validate the signature can use information about the signer as part of a protection from spoofing and phishing.
However, DKIM doesn’t tell MBPs how to treat a message if the signature can’t be validated. MBPs weigh DKIM verification failures based on their internal spam filter algorithms, along with other sending reputation factors, to determine if email should be placed in the inbox or the spam folder. To help tell MBPs what to do if DKIM and/or SPF fail, senders can implement DMARC.
- Domain-based Message Authentication, Reporting & Conformance (DMARC): DMARC addresses exact-domain spoofing and phishing attacks by preventing unauthorized use of a domain in the “From” address of email messages. DMARC is quite different from the other authentication methods. It is a framework that sits atop SPF and DKIM authentication, rather than working in silo alongside it. DMARC allows the sender to specify how unauthenticated or suspicious messages should be treated by MBPs. It helps mail administrators prevent hackers and other attackers from spoofing their organization and domain.
The true beauty of DMARC protection lies in the three available policies which allow senders to instruct the MBPs on how treat unauthenticated mail. The three options are:
- Policy is ‘none’ (p=none): MBPs will take no action and deliver the mail as normal
- Policy is ‘quarantine’ (p=quarantine): MBPs will send the message to spam/junk
- Policy is ‘reject’ (p=reject): MBPs will drop the message and it will not be delivered to recipients
Often, senders aren’t aware of a spoofing or phishing attack until it’s too late. Implementing SPF and DKIM is step one; implementing DMARC is step two; receiving, monitoring, and interpreting the reports DMARC provides is step three. These reports are crucial, as they provide insight into the authentication results sent from your domain, help identify potential domain spoofing, and keep track of authorized third parties sending emails on your behalf.
Although digesting this report sounds cumbersome, Everest’s Infrastructure tool simplifies the process into one pretty dashboard. We will validate your DMARC, SPF, and DKIM records and interpret your DMARC reports to show the volume sent based on your inbound reports. Once there is sufficient data within Everest, you will receive a DMARC Compliance rating, which is calculated by the volume sent from your sending domains that authenticates with SPF and/or DKIM and aligns domains with the visible “From” address.
Billions of consumer mailboxes are protected by DMARC because top MBPs such as Gmail, Microsoft, and Yahoo respect it. Given the risks of email spoofing and phishing, and the fact that nearly 90% of email attacks are based on fake sender identities, adopting DMARC is more important than ever. While DMARC setup can be complicated, there are lots of resources available to help you get started. At Validity, we aim to drive DMARC adoption and boost email security by making the process easier to understand, and the data more actionable.
How secure is your email program? What is your DMARC Compliance rating? With more than 3 billion domain spoofing emails sent per day, it’s your responsibility as an email marketer to make sure you are protecting your brand and your subscribers. You can click here to learn more about how Everest can help secure your email program, or contact us to schedule a free demo.