Search AFCEA Site

Enable breadcrumbs token at /includes/pageheader.html.twig

The Escalating War Against Email-Based Espionage and Fraud

Cyber crimes using business emails have cost more than $43 billion since 2016.
Kenneth Schwartzman, senior sales engineering manager, Valimail
Cybercriminals are estimated to send around 3.4 billion emails daily, cleverly disguised to appear as if they're from reliable sources. Advanced tools are needed to combat this threat, expert says. Credit: Metamorworks/Shutterstock
Cyber criminals are estimated to send around 3.4 billion emails daily, cleverly disguised to appear as if they're from reliable sources. Advanced tools are needed to combat this threat, expert says. Credit: Metamorworks/Shutterstock

 

I suppose I am not shocking anyone by telling you that email has become a prime target for modern cyber criminals, who leverage it for everything from espionage, to data theft, to the spread of false information—even for sextortion.

The numbers are mind-blowing. Cyber criminals are estimated to send around 3.4 billion emails daily, cleverly disguised to appear as if they're from reliable sources. This amounts to more than one trillion phishing emails every year. It's a huge deal. Scams using business emails have cost over $43 billion since 2016, according to the FBI. But it's not just about losing money. These scams can ruin a company's good name, mess up how it works and even lead to important and secret ideas being stolen.

No one can hide. Organizations of all sizes and in all industries are under siege. Traditional email security methods, like secure email gateways and anti-spam and anti-malware tools, are no longer sufficient. A new, proactive approach is needed desperately.

DMARC (domain-based message authentication, reporting and conformance) is a tool that's become important for stopping email scams in the last few years. It lets people who own websites decide who can send emails using their name. If an email does not pass the check, it gets stopped or set aside so that it doesn't end up in your inbox to trick you.

When implemented properly, DMARC acts as an identity check for email, similar to an airport security checkpoint. Just as passengers must present valid credentials to board a flight, email senders must authenticate to deliver messages to DMARC-protected domains. Unauthorized senders are prevented from impersonating the domain.

The impacts of DMARC could be transformative for security. Early adopters have reported threat reductions of over 90% after enforcing DMARC policies on their domains. Besides thwarting impersonation attacks, DMARC delivers additional benefits like improved deliverability and brand protection.

Despite its clear security value, enterprise DMARC adoption has been relatively slow, hovering around 30% globally. Many organizations have been daunted by the perceived complexity and risk of shifting their email flows to a strict enforcement posture. Legacy DMARC solutions have not helped matters, often requiring tedious manual configuration of email authentication records.

The good news is that there's hope for better email safety. New tools are out now that make it easier and faster for businesses to protect their emails. These tools work automatically, don't assume anything is safe right away—that's the "zero-trust" part—and use smart tech like cloud storage and learning from experience—that's the "machine learning" part—to help with setting up DMARC, which keeps scam emails away.

Leading vendors in the zero-trust email authentication space provide capabilities such as:

  • Fast, hassle-free setup and configuration
  • Continuous, automated enforcement of DMARC policies
  • Instant, scalable protection for all owned domains
  • Intuitive visibility and reporting on email ecosystem health

With these advancements, enterprises can now deploy DMARC with confidence across even the most complex email environments. Domain protection can be achieved in a matter of weeks instead of months or quarters.

Kenneth Schwartzman, Valimail
Traditional email security methods, like secure email gateways and anti-spam and anti-malware tools, are no longer sufficient. A new, proactive approach is needed desperately.
Kenneth Schwartzman
Senior Sales Engineering Manager, Valimail

In addition, regulatory tailwinds are providing additional impetus for DMARC adoption. Major email providers like Google and Yahoo! have recently issued guidance that domains must be properly authenticated to ensure continued delivery of messages. Authenticating email is becoming table stakes on the modern internet.

For high-risk sectors like financial services, defense and critical infrastructure, DMARC is also being enshrined into security compliance frameworks. The payments industry, for instance, now requires DMARC for any service provider that handles credit card data.

As we head into the 2024 election season, DMARC will play a vital role in protecting the integrity of digital campaign communications against foreign interference and disinformation. At least one nonpartisan organization, Defending Digital Campaigns (DDC), has launched an initiative to provide free DMARC-based anti-spoofing services to federal campaigns and committees.

Do not lose hope. We can win this battle. As more organizations adopt DMARC and other identity-based security controls, email will become a far less viable attack vector for malicious actors. I hesitate to say we may never stop email-based threats entirely, but we can certainly constrain their impact and make them much harder and costlier to execute.

We are indeed at a turning point in the fight against email hacking and fraud. Now that advanced, zero-trust DMARC systems are accessible to everyone, companies have a strong way to keep themselves, their teams and their customers safe.

The threat isn't on its way; it's already here. It's H-hour.

Enjoying The Cyber Edge?
The Cyber Edge is part of SIGNAL Magazine. Subscribe or join AFCEA to receive SIGNAL and its award winning news.
SUBSCRIBE NOW
LEARN MORE
JOIN AFCEA

Related Cyber Content