Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

Companies Are Failing to Deploy Key Solution for Email Security

A single -- albeit complex-to-deploy -- technology could stop the most expensive form of fraud, experts say. Why aren't more companies adopting it?

Business email compromise (BEC) is the most expensive form of online fraud encountered every year, with international losses in excess of $26 billion over the past three years, according to the FBI. Despite that, email security measures that could stop the messages impersonating business executives remain underdeployed, experts say.

The key technology, known as Domain-based Message Authentication, Reporting, and Conformance, or DMARC, significantly reduces attackers' abilities to spoof targeted domains and business executives by validating the path from the sending server to the receiver's inbox. In addition, the technology gives an organization's email administrator visibility into how their domain is being abused in emails.

Given the recent move of many companies to remote work during the coronavirus pandemic, validating email messages is even more important, says Joseph Blankenship, vice president of research for cybersecurity at Forrester Research.

"We designed email to trust by its very nature," he says. "To keep it secure, we need a multilayered approach that makes sure any anti-phishing defense is using multiple methods to verify email senders."

Every year, attackers use impersonation in phishing attacks to harvest user credentials as well as in BEC schemes where they send fake invoices from vendors or requests for payment from purported company executives to a target's accounting department. In 2019, the FBI received nearly 24,000 complaints of BEC fraud totaling $1.8 billion in losses, according to the annual Internet Crime Complaint Center report

A triad of email security technologies are designed to hobble attackers' attempts to impersonate legitimate organizations. Sender Policy Framework (SPF) adds the legitimate mail servers into the authoritative DNS record for a domain. The Domain Keys Identified Mail (DKIM) technology signs email messages to confirm the messages have not been changed. Finally, DMARC checks that a message's From address matches the information verified by SPF and DKIM. In addition, DMARC produces aggregate reports on the email traffic sent from an administrator's domain.

While DMARC gives companies protection against phishing, brand misuse, and BEC, it's difficult to implement across companies. "As someone who tried to do it with a team of smart IT people, it is an undertaking, I'll tell you that," says Blankenship. "We actually failed — we gave up after a couple of weeks."

Forrester recommends that companies work with their email infrastructure provider to set it up and consider bringing in a consultant.

While the complexity may scare off small firms, organizations that use the large email providers will likely have a managed offering that walks them through the process, he says.

"Two of the biggest providers of email services, Microsoft and Google, have a lot of email security capabilities built in," he says. "So any small firm should be taking full advantage of all the email filtering that is available to them from their email infrastructure provider."

While the use of DMARC is growing — tripling in 2019 — less than 10% of companies use it in most industries. Because of a US government mandate, however, almost every US federal agency uses the technology.

In addition, getting the full security benefits of the technology takes time. Administrators of an organization's email can select three different polices for messages that fail verification: Complete delivery of the messages, quarantine the messages, or reject the messages. In 2019, 71% of companies failed to enforce strict rules, taking no action and allowing the message to be delivered, according to data from DMARC.org.

"Phishing is implicated in more than 90% of all cyberattacks, and the vast majority of phishing emails leverage impersonation," Alexander García-Tobar, CEO and co-founder of email security firm Valimail, said in a statement. "This is only possible due to email's lack of robust sender identity validation. The sharp rise in DMARC records worldwide is promising, but the low rate of enforcement indicates there is a long way to go in establishing real trust in one of the world's most common forms of communication."

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174732.
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 174735.
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 174738.
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 could disclose sensitive information on the login page that could aid in further attacks against the system. IBM X-Force ID: 174805.
PUBLISHED: 2020-06-03
IBM Security Guardium 10.6, 11.0, and 11.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174851.