Can you remember your first email? Either sending one, or receiving it? I certainly remember explaining to people what email was, and I also remember someone telling me they could live without their email server for “about a month before it becomes a problem”.
Can you imagine that now? A month without email?
Emails are a necessary evil
According to Earthweb, approximately 333.2 billion emails are sent every day in 2022, which is around 3.5 million emails every second!
Email is, without doubt, the communication tool of choice for almost everyone, and it is critical for those of us running a business. Therefore, is it any wonder that against this backdrop of increasing email use, we see that fraudsters and cybercriminals use email as their primary delivery mechanism for phishing and malware?
According to APWG’s Phishing Activity Trends Report, there were 1.25 million phishing attacks in very the first quarter of 2022, making it the worst quarter for phishing observed to date. But like all statistics of this nature, we must keep in mind that this is the reported attacks – so many more go unnoticed or unreported. Therefore, although it is pure speculation, the number could be significantly higher.
Why is email so attractive?
This may sound like an easy question to answer, but email isn’t just a gateway into our organisations. It offers so much more. From a scammer’s perspective, it is very easy to get a hold of email addresses, as most of us share them without any real concern or consideration for how they are used. We give out email addresses freely on websites when we sign up for newsletters or online services, and we share our email addresses when a shop assistant asks if we want a receipt emailed to us, or if we would like to join their “exclusive club”.
In 2021 the Compilation of Many Breaches (COMB) was discovered on the Dark Web, which contained over 3.2 billion emails and passwords. With that amount of emails, is it any wonder that 2021 was a bumper year for phishing campaigns?
The other reason that email is such an attractive target for scams is that many of us run our entire lives through our inbox, making our email a rich source of information. We use our email to register online for shopping, banking, utilities, dating, and social media, as well as figuring prominently in our work lives.
Returning to the matter of the sheer volume of emails, it is worth thinking about how many emails you receive and how responding to them all seems to be a constant challenge. Cybercriminals know this, and they know that we aren’t paying attention to the details in the email that might give them away.
On your DMARC… Get set. Go!
There are some very simple things you can do to protect yourself against email scams:
- Unsubscribe from all those emails that are just noise, or,
- Create a rule to hive them off into another folder.
- Flag emails that you know will require some effort on your part to respond correctly.
- Give yourself specific blocks of time in the day to deal with emails. Don’t feel immediately compelled to read and respond to everything.
While these are all methods that anyone can use to protect themselves from email scams, another problem that occurs is when an email address is spoofed, that is, the scammer sends an email purporting to be sent from a legitimate address. For this, there is a more technical approach that mail administrators can implement to protect an organization from spoofed messages.
One method to achieve this is for the domain administrator to enforce DMARC. If you’ve never heard of DMARC, it’s a mechanism for authentication which is layered on top of two other schemes, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). DMARC is set up to verify that the address in the “From” header is the actual sender of the message. This allows domain owners to tell the recipients how they need to handle the unauthorised use of their email domains, thereby protecting the domain.
As you can imagine, this is highly valuable and goes a long way to protecting your domain from being spoofed.
In the latest report “Email fraud & identity deception trends” from the intelligence division from AGARI Cybersecurity, they make the point that adoption still isn’t where it needs to be, indicating that:
“Domain-based Message Authentication, Reporting, and Conformance (DMARC)
leapt 19% from 2020-2021. However, the number of Fortune 500 companies to deploy DMARC policies showed a mere 10% increase with DMARC set at its most aggressive level of enforcement, namely at p=reject.”
Their report highlights that 66% of Fortune 500 companies remain vulnerable to being impersonated in phishing scams that target their customers, partners, investors, and the general public.
Conclusion: What else can we do?
This may sound like simple advice, but one additional thing we can do is to … slow… down.
One of the reasons we fall prey to scammers and cyberattacks is that we aren’t paying attention to the emails that flit across our screens. We quickly scan them, fire off a response, and move on to the next without pausing to think.
If we give ourselves time to think and allow ourselves to log off at the end of the day, we might just come back to our inboxes with more focused attention and, therefore, less likely to fall victim to a phishing attack.
To put it another way, we need to have a combined approach of both technical (DMARC) and human (slowing down) to tackle the problem that is not going away.
About the author: For over three decades, Lee Scorey has honed his technical skills, working for a multitude of industries and sectors, including financial, commercial and the public sector.
Information Security has always been at the heart of each role he has undertaken, and he is passionate about developing safe and secure operating practices and environments that make life safer for all.
As a consultant Lee now runs his own Information Security Consultancy, helping businesses approach information security in a practical and pragmatic way.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.