Scammers know that impersonating a trusted government agency is an extremely effective way to trick or scare victims into handing over money, personal data, or sensitive information. In many cases, it’s all too easy for cybercriminals to use the agency’s own domains to send authentic-looking phishing emails to constituents and contractors. That’s why the Department of Homeland Security announced BOD 18-01 requiring all federal agencies to implement DMARC email authentication by October 2018.
While that directive has resulted in a sharp increase in federal agencies at a p=reject policy, the same cannot be said for state and local governments. In December, criminals spoofed a Sedgwick County, Kansas, email address to try to trick a vendor into sharing county financial data. The sharp-eyed vendor reported the phishing attempt and prevented the cybercriminal from gaining access to the records.
Brand- and identity-impersonation emails like these make up more than half of the growing wave of business email compromise (BEC) attacks, which have caused $12.5 billion in losses over the past half-decade. These cybercriminals exploit a known flaw in email—the ability for anyone to send an email from any domain—to trick constituents, contractors, vendors, and others into sending money or sharing sensitive information.
Thankfully, the DMARC stops this problem. While state and local governments are not subjected to the same BOD 18-01 mandate, it’s time for them to implement the same security protocols to avoid being impersonated.
Early DMARC Adoption by the Federal Government
The executive branch of the US federal government is the clear standout among large sectors when it comes to DMARC implementation. But it wasn’t always that way.
As recently as October 2017, only 18% of federal domains had DMARC records, and less than 10% were enforcing the strictest p=reject policy to keep scam emails from reaching recipients. That month, the Department of Homeland Security issued Binding Operational Directive 18-01, mandating that agencies implement DMARC and enforce a Reject policy.
One year later, with BOD 18-01 for motivation and guidance, 85% of federal domains were using DMARC, and 74% had implemented policies at p=reject. Those figures put the federal government far ahead of the finance, technology, healthcare, and retail sectors for DMARC adoption.
One federal agency reported that after adopting DMARC and moving to a Reject policy, they were able to identify out-of-compliance domains and remedy those security settings. They were also able to detect and manage in-house and third-party senders, block phishing attempts, and prevent shadow IT on their domains. These improvements ultimately increased trust in emails sent from the agency’s domains and protected its reputation and brand value.
Why Wait? State and Local Governments Should Take Action Too
While there has been no similar mandate for state and local governments, there is no reason to wait to take action. Cybercriminals will continue to exploit offices that do not protect their domains by using them to send requests for private information or to pay fake invoices.
Attackers continue to impersonate state and local governments because much like the federal government, they have the inherent authority and trust of their citizens. A fake email that appears to come from the county sheriff, for example, is much more likely to get citizens to act than an email coming from an organization that the recipient is not familiar with. Taking advantage of the trust that people have in the government, cybercriminals can easily fool citizens, employees, volunteers, and even elected officials.
And as the federal government becomes harder to impersonate thanks to the success of BOD 18-01, cybercriminals are bound to turn elsewhere to scam citizens. State and local governments will remain an easy target until they follow in the footsteps of their nationwide counterparts.
Moving Into a More Secure Future
While the complexity of email ecosystems can be a challenge for agencies looking to implement DMARC, there are measures in place to enable easy implementation. It is critical to get everything right before moving to a Reject policy to ensure that valid emails are not flagged as undeliverable, but this requires a member of the messaging operations or security team to review third-party senders and monitoring sending flows.
Here at Agari, we recommend that agencies move toward full implementation at a pace that allows for troubleshooting and feedback at each policy stage—from Monitor to Quarantine to Reject. By working with the right vendor, you can be sure that you have a handle on every single email coming from your domain, before you make a costly mistake.
DMARC makes it nearly impossible for bad actors to abuse public trust in organizations by exploiting their exact email domains for phishing scams. By simply taking this first step to government secure email and implementing DMARC, state and local governments can keep constituents safe, reduce public complaints about phishing emails, protect vendor relationships, and increase the deliverability of their email messages.