Email fraud is rife and costs companies like yours millions.
Implementing the authentication standard DMARC (Domain-based Authentication Reporting and Conformance) to block bad email before it reaches consumer inboxes is a great first step. But DMARC alone isn’t enough, protecting your brand from only 30% of email-borne attacks.
We tapped into the Return Path Data Cloud and analyzed more than 760,000 email threats associated with 40 top global brands over the course of 2 months to understand how fraudsters circumvent email authentication mechanisms like DMARC.
[Matt] Email Fraud is on the rise and it’s costing companies millions.
Additional stats: More than 400 brands are phished each month (Anti-Phishing Working Group) Every day, beyond your control, cybercriminals send emails that spoof your brand, targeting your customers, partners, and suppliers with malicious content. As a result, customers lose trust in your brand, and your company loses business.
[Matt] Second there is a revenue impact. Email fraud has a dramatic impact on the trust your customers have in your brand. It also reduce the effectiveness of email that is legitimate. A great data point from Cloudmark here: customers are 42% less likely to interact with a brand after being phished or spoofed.
While consumer fraud losses, increases in cyber insurance premiums, investigation and remediation costs are key drivers in justifying the investment in a solution, the more significant damage is the erosion of trust in your brand and potential loss in customer loyalty. After falling victim to email fraud, the trust your consumers have in your brand will be negatively impacted and this will ultimately affect their buying decisions. Phishers can erase years of goodwill in a second by exploiting that trust, but only if you let them. As a result, customers lose trust in your brand, and your company loses business.
[Matt] So why is email the chosen threat vector? Because it is so easy to abuse as a channel.
Think about this: 97% of people globally cannot correctly identify a sophisticated phishing email. And here is why. Lets look at the all the different aspects of an email that fraudsters leverage to target victims.
[Ash] - go through these at a high level.
It is best practice to authenticate all legitimate email streams so your organisation can address direct domain spoofing attacks with DMARC.
SPF allows the owner of a domain to specify which mail servers they use to send messages from that domain.
Prevents fraudsters from spoofing the sending domain contained within the “envelope from” (aka mfrom or return path) address. An SPF-protected domain is less attractive to phishers, and is therefore less likely to be blacklisted by spam filters.
DKIM allows an organization to take responsibility for transmitting a message in a way that can be verified by mailbox provider.
Can ensure that the message has not been modified or tampered with in transit. Can help inform how mailbox providers limit spam and spoofing. Not a universally reliable way of authenticating the identity of a sender.
DMARC ensures that legitimate email is properly authenticating, and that fraudulent activity appearing to come from domains under the organization’s control is blocked.
Makes the “header from” address (what users see in their email clients) trustworthy. Helps protect customers and the brand. Discourages cybercriminals are less likely to go after a brand with a DMARC record.
[Ash] Talk through why this phishing email is protected by DMARC.
Then, pass it to Ash with something like, “But, while critical, DMARC doesn’t combat against all phishing attacks. I’ll pass it to Ash to reveal why.”
[ash] We ran some primary research in sept 2014, looking at 18 billion suspicious emails, targeting 11 banks in the UK and the US. And what did we discover? 30% of the attacks came from an email address from a domain that was owned by the bank that leaves 70% that were spoofed in some other ways like display name spoofing. This is REALLY relevant to our solution because we seek to address both: the 30% and the 70%.
We analysed 40 of the top global brands for a period of 2 months (july/August 2015) and looked at fraudulent emails coming from the 70% we covered here.
These are some of the tactics we were able to uncover thanks to email threat data:
1. Snowshoeing is still rife and monitoring IP reputations needs to be part of a multi-faceted email fraud protection strategy 2. Fraudsters do not go to the trouble of rotating elements of their subject lines, preferring a more template-based approach. Access to message-level data from email threat intelligence sources should help you prioritize your efforts around attack mitigation. 3. The most frequently spoofed Header From field is the Display Name, for which there is currently no authentication mechanism. Visibility into Display Name spoofing is critical in identifying and responding to phishing attacks leveraging your brand.
With such a complex threat landscape, you need breadth, depth and speed when it comes to email threat intelligence, and this is what we mean by it: data from mailbox providers, data from security vendors, and data from consumer inboxes to give you a complete pictures of all the threats spoofing your domains (under your control) and your brand (outside your control).
Powered by the Return Path Data Cloud, our proprietary email threat intelligence empowers you to identify threats beyond DMARC — so you can respond to the 70% of email attacks spoofing your brand from domains that you do not control. We use over 100 data feeds from more than 70 providers to detect, classify and analyze data relating to over 6 billion emails every day.
Respond to the 70% of email attacks spoofing your brand from domains that you do not own. DMARC is a great first step, but it’s not a complete solution, protecting your brand from only 30% of email threats. Powered by the Return Path Data Cloud, our proprietary email threat intelligence empowers you to identify threats beyond DMARC. We use over 100 data feeds from more than 70 mailbox and security providers to detect, classify and analyze data relating to over 5.5 billion emails every day. With Email Threat Intelligence, you can: Get insight into email threats, coming from domains that your company does not own (e.g. cousin domains, display name spoofing, subject line spoofing). View redacted message-level samples of fraudulent emails targeting your brand. Identify phishing URLs embedded in fraudulent emails and inform your takedown vendor(s). Integrate intelligence into your existing systems through a RESTful API. Manage all Email Governance and Email Threat Intelligence alerts from a single portal.
[ash] Here is an example of the data we get through
[matt] For this project, we leveraged the Return Path Data Cloud—our proprietary network of over 70 mailbox and security providers representing 2.5 billion email accounts and in-depth behavioral insights from more than 2 million individual consumer inboxes.
DEFINE SNOWSHOEING FIRST: - Just as a snowshoe spreads the load of a person’s weight across a wide area of snow, snowshoe spamming distributes spam from various IP addresses in order to dilute reputation metrics, evade filters, and avoid getting blacklisted. Traditional spam filters struggle with snowshoeing because they may not see enough volume from a single IP to trigger the filter. Therefore, we suspect fraudsters use this technique in large-scale phishing attacks to stay under the radar.
Volume of sample fraudulent emails seen Attack size HUGE: >7,500 LARGE: >2,500 MEDIUM: >500
[matt] In the majority (62.69%) of email threats, fraudsters spoof elements of the Header From field, the most popular being the Display Name field (for which there is currently no authentication).
It’s time to unite against email fraud… And here are some of the leading brands out there at the forefront of this initiative (next slide)
So how can Return Path help you? Defend Your Customers Detect and block all fraudulent emails spoofing your domains and brand before they hit consumer inboxes Prevent loss of sensitive customer data by eliminating malicious emails Defend Your Brand Bolster malicious URL takedown efforts with real-time email threat detection Preserve your organization’s reputation without impacting deliverability of legitimate emails Defend Your Bottom Line Reduce spend on fraud reimbursements, phishing remediation and customer service costs Build trust in the email channel and and secure marketing-generated revenue
Here is a great quote from Aviva’s CISO Bryan Littlefair on why it is the CISO’s responsibility to protect the brand, in collaboration with Marketing.
How Cybercriminals Cheat Email Authentication
Webinar: How Cybercriminals Cheat
September 29, 2015
• Follow us on Twitter @StopEmailFraud.
• Use our hashtag #BeyondDMARC.
• Please type in your questions using the chat box.
• Yes! We’ll send you a recording.
• The Email Fraud Problem.
• Email Authentication Best Practices.
• Real-time Insights into All Email Attacks.
• Tactics Fraudsters Use to Cheat Email Authentication.
• Unite Against Email Fraud.
Email Fraud Is on the Rise
5 out of 6 big
are targeted with
Phishing costs brands
worldwide $4.5 billion
a phishing attack
Email fraud has
up to a 45%
Source: EMC, Google
Hard Cost Impact
Fraud Losses Malware Infection Investigation Remediation
• Reduced trust in brand:
• Customers and subscribers don’t know what to trust
• Reduced effectiveness of email:
• Consumer mailbox providers don’t know what to trust
Customers are 42% less likely to interact with a
brand after being phished or spoofed.
to: You <email@example.com>
from: Phishing Company <firstname.lastname@example.org>
subject: Unauthorized login attempt
We have recieved noticed that you have recently
attempted to login to your account from an unauthorized
As a saftey measure, please visit the link below to
update your login details now:
Once you have updated your details your account will
be secure from further unauthorized login attempts.
The Phishing Team
Making an email
look legitimate by
company name in
the “Display Name”
delivering the email
to the inbox by
address hidden in
the technical header
of the email.
language in the
body of the email.
Making an email
appear to come
from a brand by
using a legitimate
company domain, or
a domain that looks
like it in the “from”
subject lines to drive
recipients to open
Including links to
that prompt users to
Anatomy Of A
Email Authentication Keeps Bad Email Out
Authenticating email helps ensure your legitimate messages reach
your customers, and malicious messages don’t.
There are three key authentication protocols to know:
1. SPF (Sender Policy Framework)
2. DKIM (DomainKeys Identified Mail)
3. DMARC (Domain-based Message Authentication Reporting &
How DMARC Works
Email received by
Has DMARC been
implemented for “header
Does email fail
Control & Visibility
The Return Path Data Cloud
Contactually Molto ParibusGetAirHelp
Message Finder UnsubscriberOrganizer
· Consumer inbox data
· Email delivery data
· Authentication results
· Message level data
· SPAM trap & complaints data
· Domain-spoofing alerts
· Brand-spoofing intelligence
· Suspicious activity map
· Fraudcaster URL feed
· Sender Score: IP reputation
Use to Cheat Email
Tapping Into the Return Path Data Cloud
• 40 day period (July and August
• Analyzed over 240 billion emails
from more than 100 data feeds.
• Identified over 760,000 email
threats targeting 40 top brands.
Tactic 1: Snowshoeing
• No discernible pattern to suggest
that the biggest phishing attacks
are launched on distributed IP
• But 22 of the 76 medium-sized
attacks were sent from
• Assessing IP reputations should
continue to provide value.
Tactic 2: Subject Line Spoofing
The minority of serialized subject
lines we did find fell under four
1. Social media scams
2. Account security
3. Calls to action with reference
4. HR Scams
Tactic 2: Subject Line Spoofing
• Urgency is a key theme in subject
• Fraudsters prefer a template-based
Tactic 3: Display Name Spoofing
• In the majority of email threats, fraudsters spoof elements of the
Header From field.
• Nearly half of all email threats spoofed the brand in the Display Name.
Unite Against Email
Tips for defending your customers,
your brand, and your bottom line.
#1: Authenticate Your Email
DMARC (Domain-based Message Authentication Reporting & Conformance):
• DMARC prevents domain-based spoofing by blocking fraudulent
activity appearing to come from domains under your control.
• DMARC provides an email threat reporting mechanism (aggregate
and forensic data).
• Use our DMARC Check Tool to query your domain's record and
validate that it is up to date with your current policy:
“Simply put, the DMARC standard works.
In a blended approach to fight email fraud,
DMARC represents the cornerstone of
technical controls that commercial senders
can implement today to rebuild trust and
retake the email channel for legitimate brands
Edward Tucker, Head of Cyber Security for
Her Majesty’s Revenue & Customs
#2: Get Visibility Into Email Threats
Email Threat Intelligence is the only way to:
• Address the 70% of email attacks that spoof your brand using
domains your company does not own (brand spoofing).
• Get visibility into all types of email threats targeting your brand
Defend Your Customers, Brand, and Bottom Line
Detect & block fraudulent emails
spoofing your brand before they
hit consumer inboxes
Bolster malicious URL takedown
efforts with real-time email
Reduce spend on fraud
remediation, and customer
“If you boil the jobs down of [IT security
professionals], they are ultimately tasked with
protecting the brand…
If you have a breach, research suggests that
60% of your customers will think about moving
and 30% actually do.”
Bryan Littlefair, Global Chief Information
Security Officer, Aviva