Email Security Blog

Hosted DMARC: Accelerating Protection Against Email-based Brand Jacking Scams

Chuck Holland May 12, 2020 Brand Protection, DMARC, Email Security, Online Brand Protection

The coronavirus pandemic is shining a spotlight on the importance of hosted Domain-based Message Authentication, Reporting, and Conformance (DMARC) to prevent cybercriminals from hijacking an organization’s domains to launch phishing attacks that put the public at risk.

A case in point – the World Health Organization (WHO). The UN’s international public health agency has been issuing warnings since January that threat actors are impersonating the organization’s officials in email scams, including attacks designed to distribute malware or misinformation.

According to VOX, email fraudsters have even been soliciting donations to WHO’s COVID-19 Solidarity Response Fund that instead get funneled to the perpetrators’ bank accounts. To make matters worse, the sender email domain in some of these attacks is — which is the organization’s legitimate domain name. To be sure, in just the last few days the WHO has made good progress to secure their domain with DMARC at status p=reject, but they are hardly alone.

This kind of “brand jacking” is up 11X since 2014, impacting organizations in every sector. What many organizations haven’t yet addressed is the innate security flaws in the email open protocol that doesn’t verify the identity of senders. That means (without DMARC) anyone can send an email impersonating anyone else—often by exploiting a respected brand’s own domain names.

When implemented properly, DMARC prevents this kind of malicious impersonation. Yet the vast majority of organizations fail to use it—including at last count 85% of the sending domains used by the Fortune 500. And this critical email security gap leaves their customers, partners, shareholders, and the general public vulnerable to impersonation attacks.

But a new generation of hosted DMARC solutions is helping to change all that.

Impersonation Attacks, Data Breaches Up Sharply Since March

The stakes associated with brand impersonation have grown much higher in recent weeks.

Stressed out consumers are being targeted in COVID-19 related email scams that masquerade as messages from major brands like Microsoft, Apple, and Netflix.  And with an estimated 75 million corporate employees working from home, some for the first time, it’s a safe bet that at least one will initiate payment for a fraudulent invoice, or fall for a bogus account alert, in response to emails that appear to come from a brand they know and trust.

Over the last four years, email impersonation in all its forms has led to more than $26 billion in business losses worldwide. And it’s no secret that credential harvesting-based impersonation attacks factor into most data breaches. According to the International Association of IT Asset Managers, there has been a major spike in data breaches since shelter-in-place restrictions were first instituted in March.

The fact that your company is also a victim when it’s impersonated in phishing schemes won’t matter to those who fall prey to them. If and when that happens, large corporate accounts may decide to jump ship. Lawsuits may fly. Social media rants and negative search results may amplify and prolong the humiliation indefinitely.

DMARC to the Rescue

That’s where DMARC comes in. By acting as the policy layer for widely used authentication technologies, including  Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), DMARC gives organizations control over who is allowed to send emails on their behalf.

Put simply, DMARC enables email receiver systems to recognize when an email isn’t coming from a brand’s approved domains, and gives an organization the ability to tell email receiver systems what to do with these unauthorized email messages. But that’s only if it’s done right.

Adding a DMARC record to a domain’s DNS takes just a few minutes. But to be effective, DMARC must be set to its highest enforcement level, p=reject. And while this is a relatively straightforward proposition, its immensely challenging at scale.

We typically advise large brands looking to implement DMARC to begin with a p=none, or “monitor-only” enforcement level and then work their way up to p=reject, because most organizations don’t realize just how complex their email ecosystem are. For many, getting to full enforcement manually is difficult, costly, and prone to errors—especially when those with thousands of domains associated with dozens of email senders, including cloud-based email services such as Salesforce or Marketo.

Managing this kind of complexity requires smart, powerful implementation tools for handling all the intricacies  involved with DMARC deployment across large email environments. Using our own DMARC solution as an example, Agari Brand Protection™ identifies all domains used to send email on your organization’s behalf, and then automates the process of building, deploying, monitoring, and updating SPF, DKIM, and DMARC records for those domains.

When fully implemented, brands can easily authorize legitimate email communications while blocking malicious impersonations at scale.

How Hosted DMARC Accelerates Stress-Free Deployments

With many organizations preoccupied supporting a workforce that has had to shift to remote working faster than anticipated due to pandemic-related lockdown measures, I’m not surprised that we’re seeing more customers choosing our Hosted DMARC service.

This can be an especially compelling option for a number of reasons. Not only does it ensure the fastest possible DMARC deployment, but it also guarantees 100% error-free email delivery for authenticated domains, new domains, and new senders.

It also enables brands to avoid having to invest in additional management, infrastructure, and full-time employee head counts for DMARC implementation. This includes what are often unforeseen costs, hassles, and risks associated with building, managing, and monitoring DKIM, SPF, and DMARC records, ongoing DNS changes, and more.

Pro tip: When selecting hosted solutions, vendors often claim to offer automation and ease-of DMARC implementation, so it’s important to confirm how many domains a vendor has at full p=reject enforcement. Organizations that are serious about blocking phishing-based brand impersonations shouldn’t settle for a vendor that has most of their customers stalled at “monitor-only” mode.

According to a study from Forrester Research, DMARC deployments employing Agari solutions have been shown to drive phishing-based brand impersonations to near zero almost instantly. In the current email security environment, that means phishing scammers looking to exploit the coronavirus outbreak will be forced to hunt for easier targets to impersonate.

To learn more about implementing DMARC effectively and efficiently, read our solution brief, Email Authentication Without Limits: Agari Automation and Hosting Features.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

September 15, 2020 Armen Najarian

Why Full DMARC Protection is a Pressing Business Imperative in 2020 and Beyond

If you haven't deployed Domain-based Messaging Authentication, Reporting, and Conformance (DMARC) to protect your brand…

Person using Google AMP for Email

September 3, 2020 Michael Cichon

Implement DMARC for Trust Before Google AMP for Email

With marketers more dependent on digital channels, many may accelerate their tests of Google's AMP…

Happy african man working on DMARC

August 17, 2020 Armen Najarian

DMARC Adoption Slows, 80% of Fortune 500 Email Senders Remain Unauthenticated

The first half of 2020 saw 25 additional Fortune 500 companies adopt Domain-based Messaging, Reporting…

Agari Blog Image

July 23, 2020 Michael Paiko

DMARC: How Phishing Rings Can Use Your Email Authentication Controls Against You

In the first reported case of its kind, a phishing ring in Eastern Europe is…

Agari Blog Image

July 7, 2020 Crane Hassold

Cosmic Lynx: A Russian Threat Hits the BEC Scene

“At some point, Russian and Eastern European cybercriminals are going to start thinking to themselves,…

mobile image