Scammers Send 3.1 Billion Domain Spoofing Emails A Day. Here's How To Protect Yourself (And Your Company)
How do you know an email from your bank is actually from your bank? Or that an email from your boss isn’t from a scammer in Ukraine?
Short answer: you don’t.
Between 1 to 2% of all emails are flat-out scams, says email security company Valimail. They are unscrupulous people impersonating a company or organization or person you know, trying to get you to do something like give up your banking details, send a payment, or divulge secret information. On the surface, an email might look just fine, saying it’s from BankofAmerica.com, for instance. Actually, it’s from some random domain controlled by a hacker who is looking to siphon funds illegally from you or your company’s accounts.
Get started on your cybersecurity degree at American Military University.
At over 300 billion emails sent daily, that means 3-6 billion scam attempts daily. Over 90% of cybersecurity attacks start with email, says Valimail.
That’s why the company has entered into a partnership with Twilio SendGrid to validate email sources and prevent scams like phishing — trying to obtain sensitive personal or company data — before they begin.
Now is an especially dangerous time.
Scammers are trying to capitalize on COVID-19 by stealing funds from the $349 billion federal Paycheck Protection Program.
“Cybercriminals never let a crisis go to waste. Phishing has surged to exploit the uncertainty and fear at a time people are working from home, far away from IT support and with an even higher reliance on email,” Valimail CEO Alexander García-Tobar said in a statement. “Impersonation is the attack vector used by 90% of spear phishing attacks — email sent as your co-workers, your boss, or a trusted organization — and domain spoofing poses unique challenges for both detection and prevention.”
According to the FBI, these types of scams have cost $26 billion over the past six years.
And these scam attempts are in addition to the 90% of emails that are annoying but not dangerous: spam. Since about 90% of email is spam, you’re also being barraged by your share of 275 billion unwanted commercial and political emails.
The technology that Valimail is using to defend against phishing is called DMARC, a widely accepted email authentication protocol. Using this protocol properly, a company can ensure that anyone using a modern email client — 80% of email clients do DMARC checks — will only see email alleging to be from them if it actually is. (In case you’re wondering, Gmail uses DMARC as does Outlook.com and most other popular email providers.)
By partnering with Valimail, SendGrid is ensuring that its clients can avoid being spoofed. And, that they can quickly ensure that all apps they work with that send email are probably validated and configured.
Interestingly, that can also help with deliverability of your own email — the email you send.
Valimail VP of Communications Dylan Tweney told me that my own personal domain, sparkplug9.com, was not DMARC protected. That means someone could spoof my domain, act as if they were me, and spam others. If detected, email from sparkplug9.com would be suspect in the future, resulting in my real emails having a harder time getting through spam blockers.
I asked Tweney a few more questions.
Koetsier: What percentage of mail is spam?
Tweney: 90% or greater, according to most industry sources. Almost all of it gets filtered out by now.
Koetsier: What percentage of mail is some kind of scam or phishing attempt?
Tweney: Estimates vary. Avanan pegged the rate of phishing at about 1% of all email volume. Valimail has measured the rate of domain spoofing (when the sender uses a legit domain in the “from” field that they don’t actually have the right to us) at 1-2% of all email volume. Gmail recently announced they’re blocking 100 million phishing messages per day.
Koetsier: How much does this new solution reduce those problems?
Tweney: tThe new solutions allow domain owners to protect their domains from being spoofed using a standard called DMARC. About 80% of inboxes worldwide will do DMARC checks on every inbound email message, if the domain that the message appears to come from has configured it. Depending on the DMARC settings, the receiving inbox will then block or mark as spam any messages that haven’t been authenticated by the domain owners. Almost all phishing emails use a fake sender identity (they’re pretending to be a person or company you’d trust).
It varies by month, but 30-60% of those fakes are using spoofed domains. So DMARC enforcement could potentially block 30-60% of all phish.
But keep in mind that this would also force phishers to use more obvious types of fakes, like a throwaway Gmail account where the sender looks something like “Bank of America” .
Koetsier: How much can you potentially save companies?
Tweney: It really depends on how much the companies use email, and whether they consider their identity in email an asset worth protecting or not. It’s worth noting that 30% of the Fortune 500 are protecting their domains this way, and 90% of US federal government domains are.
Koetsier: How does it impact each user’s experience of email?
Tweney: It makes the email you receive more trustworthy. If your bank is protecting its domain from impersonation with these tools, then you can be confident that any messages in your inbox that have the bank’s domain name in the From field are legitimately from your bank. If you’re wondering whether a domain is protected or not, it’s easy to check. You can enter any domain into our domain checker here.
For example, I notice that your domain is still spoofable.
Koetsier: Is email growing in usage still, or declining with Slack, Microsoft Teams, etc.?
Tweney: Email is still growing. 3.9 billion people worldwide use email — more than half the global population of 7.7 billion. This will rise to 4.4 billion email users by 2023. 293 billion email messages are sent/received every day. (Growing to 347 billion by 2023.)
It’s the last true open-standards communication platform that’s not controlled by any single company. While people are using it less for human-to-human communication, it remains one of the most effective forms for business-to-business and business-to-consumer communication.
Koetsier: How does this increase deliverability of your own messages? How much does it increase that deliverability?
Tweney: It’s unlikely to make much of a difference for consumers’ own messages. But for companies that use these tools to get to DMARC enforcement, deliverability increases by 10% or more, typically. In cases when a domain has been so heavily spoofed that inboxes worldwide have given it a really spammy reputation, deliverability can increase a lot more. The UK’s tax revenue service saw deliverability rise from 18% to 98% just by implementing DMARC:
Koetsier: We tend to forget about email. How big of an attack surface is it … or what percentage of company hacks originate from email?
Tweney: 90% or more of all cybersecurity attacks originate with email. Lots of sources on that. The Verizon Data Breach Investigation Report has consistently placed it as the #1 cybersecurity attack vector.
IT people tend to take the approach that this is a human engineering problem, and that the solution is to train users better (“be careful what you click on”). This doesn’t work too well because phishing emails can be very hard to distinguish from the real thing, even for sophisticated cybersecurity professionals. That’s doubly true when the email appears to be coming from the very domain of a company you trust. One type of phishing attack, the business email compromise (BEC), is particularly pernicious. That’s when someone emails the CFO pretending to be a contractor the company works with, sending an urgent new invoice or new bank deposit instructions. Or when hackers email an executive assistant pretending to be the CEO asking for a money transfer, or gift cards or something. The FBI pegs this at $26 billion in losses over the past few years.
Koetsier: What are individual users’ and/or consumers’ risks, and how do you protect them from that?
Tweney: By protecting the brands that they trust, the Twilio SendGrid – Valimail partnership helps make the emails those brands send more trustworthy. That means you’re less likely to get phished by an email that appears to come from your bank, your streaming movie service, or your favorite e-commerce vendor — but which is really a fake that comes from a phisher. In this way, you’re more protected from losing money to phishing scams, or worse — accidentally entering your login credentials on a phishing website designed to steal them.
Koetsier: Thank you for your time!