Let’s go phishing: How we could enter a new era of email trust

By Alexander García-Tobar, enterpreneur and global executive.

It’s hard to think of a more relaxing day than spending time out on the water and fishing with family or friends. Whether you land a fish or not, what matters to most is the experience. 

Cybercriminals who phish, however, mean all business with strict cost/benefit constraints. They prioritize easy, cost-effective attacks with a high potential for ensnaring victims. Whether it’s phishing (low cost, wide net) or spear phishing (higher cost, high-value target), the economics must make sense. Email phishing opens up a whole new can of cybersecurity worms.

We take most emails at face value. We might check the “from” address or treat a couple of emails suspiciously, but we generally assume that most email is good. We know phishing is possible, but we also average 121 daily emails for work alone! So we accept the potential for harm and carry on, hoping machines and security measures will keep us safe. 

Phishing classifications 

Most Americans learn about major phishing attacks when they disrupt networks, utility services or other infrastructure. But it’s not the “big one” but the billions of phishing emails sent daily adding up to over 90% of attacks starting with a humble email. We also hear the word “phishing” without truly understanding its nuances. This term captures a broader category under which various targeted email attacks live.

Deceptive phishing, the most common phishing, casts and hauls in a wide net. Most casts don’t yield profitable fish, but such a wide net will likely catch a couple “good ones.” It often appears sent from recognized senders and steals information by impersonating a legitimate organization or brand. Used by cybercriminals to steal personal data and login credentials, these phishing emails include several deceptive strategies:

• Blending malicious and harmless code to trick Exchange Online Protection (EOP).
• Incorporating legitimate links to evade detection (and rerouting to spam folders) by email filters.
• Stealing and modifying brand or organization logos.
• Sending emails with minimal written content.
• Using shortened URLs to trick Secure Email Gateways (SEGs) or logic bombs and time bombs to redirect recipients to phishing landing pages after an email arrives in a user’s inbox.

Spear phishing uses a more personal touch (think handcrafted lure) where cybercriminals customize phishing emails with recipients’ personal information to trick them into thinking they’ve connected with the sender. This approach also entices users to click on malicious attachments or URLs designed to capture their personal data. Techniques used in spear phishing attacks include:

• Attempting to compromise API or session tokens that would allow hackers to gain access to company resources like SharePoint sites and employee email accounts.
• Leveraging social media to research company hierarchies to find appropriate targets for attacking.
• Sending mass emails to collect “out of office” responses from which cybercriminals can identify (and copy) internal email formats.

Whaling involves business email compromise (BEC), where cybercriminals spoof sender information and domains from CEOs or very senior executives to conduct fraud. Whaling attacks use the same techniques as spear phishing attacks. But hackers use a compromised executive’s account to infiltrate a company for financial gain.

The ties that bind 

A sharp reader will note a pattern in these modern phishing attempts: the sender is not who or what they claim. In fact, 89% of all modern phishing attacks share one trait: sender impersonation. It’s much more challenging to filter/detect fake email — and more likely to catch a victim — if the attack is based on the sender targeted for impersonation. Hackers capitalize on the little-known fact that email isn’t authenticated out of the box. Without email authentication, anyone can write an email as someone else.  

Believe this phish tale

In lieu of dangling a tasty worm, cybercriminals send over three billion spoofing emails daily. About one in every 100 emails is a phishing or spoofing attack. DMARC (Domain-based Message Authentication, Reporting & Conformance) enforcement offers protection from those incursions.

Unfortunately, few people aside from the email geeks who created and used it know about DMARC. This open standard has wide support from the email community. Only recently has it received increased publicity and acceptance as compliance/best practice in the broader security and brand protection sectors. Awareness and compliance can also have a dramatic impact on adoption. A 2018 BOD (Binding Operational Directive) 18-01 instructed all Federal Agencies to adopt DMARC, resulting in 92% of federal email DMARC records in place and at enforcement — and that’s no phish tale. Conversely, only 22% of top retailers, 30% of Fortune 500 domains and 36% of large banks are at full DMARC enforcement. But this is changing fast — this year alone, 70,000 companies will adopt DMARC. 

DMARC offers a proven way to authenticate email, and when layered with traditional email security approaches, provides strong protection from a dominant email phishing attack vector — sender impersonation. With DMARC effectively implemented at enforcement, only authorized senders can send emails using the domain in their email messages’ “from” field. DMARC operates in the background, and most users aren’t aware of its existence — which is exactly how it’s supposed to work. 

The benefits extend beyond just security: in addition to an effective security layer, DMARC protects brands from abuse, protects clients and partners from receiving fake emails, and provides the controls needed to attest to privacy compliance standards such as GDPR and CCPA.

Ultimately, it is no longer tenable to have our primary communications platform (email) unprotected from sender impersonation. DMARC provides all companies a way to stamp out a primary method of email fraud, leading us to an era of trusting our email again. 

And that’s no fish tale.

A serial entrepreneur and global executive, Alexander García-Tobar has been CEO at two previous firms and has run global sales teams for three companies that went IPO. He held analyst and executive positions at leading research companies such as The Boston Consulting Group and Forrester Research along with Silicon Valley startups such as ValiCert, Sygate, and SyncTV.