The Technologies of Trust: Protecting Against Email Fraud and Scams
Email has long been one of the primary methods of attack for cybercriminals. Fighting back against email threats requires human involvement—people need to know the signs of spam or phishing, avoid clicking links and downloading attachments, and treat unusual requests with suspicion.
But user training and awareness—while absolutely necessary—aren’t your only weapons against email threats. Email security protocols help combat many of the major vulnerabilities inherent in email. Today, we’ll discuss a few of these protocols and what they‘re meant to combat.
When it comes to email, most of the security frameworks are built to help establish the identity of the sender. Most scammers try to trick people via impersonation. Whether it’s forging a sender address, a sender display name, or masquerading as a legitimate third party like PayPal or a bank, scammers often pose as someone else to accomplish their attacks.
Most underlying email security technologies seek to prevent this by proving the trustworthiness of a sender or an email. Here are some of the policies:
Domain Keys Identified Mail (DKIM) is a protocol that uses cryptography to verify an email was sent from the domain it claims to be from. When an email gets sent, DKIM affixes a DKIM signature containing a hash generated from both the header and body of a message to an email. Once the email is received, the receiving server can look up the public key in the sender’s DNS records and use it to decrypt the email. If the DKIM signature’s hash is valid, it helps the recipient verify the message came from the original sender and has not been altered in any way in transit.
DKIM also improves the deliverability of your emails. If using DKIM, you can reduce the likelihood your emails will be marked as spam by recipients. This helps keep your sender reputation high overall and helps improve the ability for your organization to continue sending emails without getting blocked.
Sender Policy Framework (SPF) also helps make sure an email comes from a legitimate source. SPF helps receiving email servers verify an incoming email comes from an IP address approved by the sender. The server simply looks up an SPF entry in the sender’s DNS records to ensure the domain is authorized. For instance, if you set up your domain as “example.com,” you would include IP addresses for your mail server as well as any cloud services that will send email on your behalf. This will help prevent unauthorized senders from delivering email claiming they’re from your domain. However, by itself, SPF isn’t amazingly powerful. It’s best when used in combination with the DMARC and DKIM.
Domain-based Message Authentication, Reporting, and Conformance (DMARC) expands and works in concert with both DKIM and SPF. DMARC is also placed in the domain’s DNS records, and helps the sender specify which framework they’re using when sending email—SPF, DKIM, or both. It allows the sender to specify how to treat emails that don’t authenticate–including quarantining, rejecting, or deleting them. It also provides reporting back to the sender on the emails that weren’t authenticated so the sender knows both the health of their email and can see if there’s potential malicious activity using your domain. This allows senders to actively warn users that someone is attempting to phish them using your domain name. By paying attention to these reports, IT admins can actively protect a company’s email recipients.
Fighting back against email attacks
These three frameworks help reduce email fraud. IT providers should use all three to help enhance their security postures and do their part in the fight against email scams.
The real challenge with providing good email security, however, is cybercriminals frequently change their tactics. While these three frameworks work to establish the authenticity of the sending domain, cybercriminals can use other tactics. As a few examples, domain misspellings are common in spam and phishing messages—or someone can sign up for a free cloud email address, pose as a friend, and claim it’s their new email address. Plus, most anti-spam technologies were historically set up around rule-based filtering and whitelists/blacklists. This often means filtering programs are a step behind some threats.
SolarWinds® Mail Assure was built using artificial intelligence and machine learning to help prevent email attacks. For example, the technology was built to help catch morphing viruses that may not have previously been discovered. Mail Assure’s proprietary email filtering technology incorporates input from processing large volumes of email data and combines it with both real-time pattern threat recognition and collective threat intelligence to help protect your users against emerging email-borne threats. Plus, Mail Assure’s technology fully supports SPF, DKIM, and DMARC, enabling customers to take every measure possible to help prevent impersonation attacks.