Email Security Blog

Storm Phishing: A Not-So-Natural Disaster

Chris Haag October 10, 2016 Cybercrime
Fallback Featured Image

“Those who escaped the dangers of Hurricane Matthew on the coast faced threats online, according to the governor. South Carolina residents received emails promising updates on power outages. But those who clicked on the link provided in the emails inadvertently opened their computers to hackers…”
Nikki Haley, Governor of South Carolina

Imagine you are the victim of a disaster of some sort: earthquake, fire, hurricane or flooding. You have been evacuated or forced to flee your home with only the items you could frantically put in the car. You are staying at a shelter, a friend’s house or a freeway motel watching the news in rapt disbelief. Checking your email, you see a message from your home county about the disaster and links for more news and help. Clicking the link takes you to a web site that asks you to apply for assistance online – and you’ve been phished! Now, where you had one disaster to face, you have two: the original and identity theft.

The frustrating thing about this scenario is not just that it is real. What is more frustrating is that it is preventable. Using a 6-year old protocol called DMARC (Domain Message Authentication Reporting & Conformance), governments – from local, to state to federal – can ensure that only legitimate messages reach their constituents. Unlike previous security initiatives, DMARC does not just make things incrementally safer. Instead, it can, on a per domain basis, completely prevent delivery of fraudulent messages to mail boxes that enforce DMARC. Given that nearly all major U.S. mail box owners (Gmail, Yahoo! Mail, Office365, Hotmail, Comcast and AT&T to name a few) do enforce DMARC, publishing a DMARC reject (link) record is practically 100% effective.

In light of this, we thought it would be instructive to take a look at the current state of email authentication within government agencies. How “safe” is a .gov message?

Our database has records covering over 16,000 “.gov” domains.

  • Only 11% publish a DMARC record of any kind
  • Only 4% publish a DMARC reject record
  • 96% of governmental domains are unprotected!

We call on governments around the world to start their journey to DMARC reject as soon as possible. One disaster is more than enough for any person to handle!


Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

July 10, 2019 Ronnie Tokazowski

‘Til Death Do Us Part… Romance Scams and the BEC Game

When we think of business email compromise (BEC), the first thing that comes to mind…

Agari Blog Image

June 5, 2019 Crane Hassold

From One to Many: Scattered Canary Evolves from One-Man Startup to BEC Enterprise

There is no denying that business email compromise (BEC) is big business, with losses exceeding…

Agari Blog Image

April 25, 2019 Crane Hassold

Bitcoin: The Next Evolution in BEC Cash Out Methods?

Historically, business email compromise (BEC) threat actors have used wire transfers as a means to…

Agari Blog Image

April 18, 2019 Ronnie Tokazowski

Do You Know Where Your W-2 Is? Probably Where You Left It

It’s like clockwork. Every year around tax time security vendors (even us!) push out warnings…

Agari Blog Image

April 4, 2019 Crane Hassold

Evolving Tactics: London Blue Starts Spoofing Target Domains

In December, the Agari Cyber Intelligence Division (ACID) published a report on a business email…

mobile image