By Mikey Molfessis, cybersecurity expert at Mimecast
Businesses and people around the world have accelerated their adoption of digital technologies since the start of the pandemic.
Digital channels have grown massively, especially in the banking industry.
E-commerce has similarly boomed. FNB data from the first half of 2020 indicated that average e-commerce spend increased by 30% year-on-year, with further growth expected as online retailers increase capacity and access to a greater share of the population.
Greater digitisation = greater risk
While the growth of digital services is a welcome development in a time of heightened health risks, it’s not without its own risks.
Cybercriminals, aware that more people are working and transacting online than ever before, have unleashed a veritable tidal wave of cyberattacks.
In the first 100 days of the pandemic, Mimecast researchers found massive increases in several attack types in South Africa, including:
- Spam (up 46%),
- Impersonation attacks (up 75%),
- Malware (an eye-watering 385% increase), and
- Unsafe clicks by employees (97% increase).
During the same period, more than 115,000 COVID-19 related spoof domains – designed to steal personal information – were taken down.
Organisations have had to step up their efforts at keeping customers safe from cyber threats.
Concerns over impersonation, exploitation
An organisation may suffer lasting brand damage and revenue loss if their customers are successfully targeted by cybercriminals, for example when a sophisticated impersonation attack makes it nearly impossible for the customer to discern the legitimacy of the email communication they receive.
The erosion of trust in the brand means customers may view future legitimate communication as suspicious and not open the email or engage with its contents.
They may even go so far as to create rules in their mailbox to delete all future emails automatically.
This could cause irreparable damage for organisations such as online retailers or government departments that rely on the trust of their customers or citizens to deliver services and function effectively.
In Mimecast’s State of Email Security 2020 Report, 84% of South African respondents stated they were concerned about a web domain, brand exploitation or site spoofing attack.
Seventy-eight percent were concerned about an attack that directly spoofs their email domain.
Unfortunately, most organisations overlook one vital tool: Domain-based Messaging Authentication Reporting and Conformance, or DMARC for short.
What is DMARC?
DMARC is an email validation system that is designed to detect when someone is using your domain without authorisation and can be used to block delivery of all unauthenticated mail.
It builds on existing SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail) protocols by adding a critical reporting element and blocking mechanism.
How does it work?
To use a real-world analogy, let’s say there’s a package that needs to be delivered to a recipient at an office park.
Upon arrival, there are two security guards checking the delivery person’s credentials independently, but simultaneously.
The first guard checks the license disk against the license plate and ensures that they are aligned.
The second guard checks the driver’s identification and makes sure it aligns.
The guards then check their policies to establish what action must be taken if either of the checks did not align.
Do they allow the delivery van through, or stop it there? These two checks are likened to inbound SPF and DKIM checks at a Secure Email Gateway (SEG)
At the same time, the guards contact the delivery company to let them know that their delivery van came to their premises, and checks were done.
The guards provide results explaining whether the security checks aligned to what was expected or if they failed.
The company is therefore alerted to the possibility that their brand may have been used to fictitiously deliver a parcel. At this point, the delivery company knows if they are under attack.
If the policies that the guards follow allow the delivery through the gates to the recipient, the recipient has another check they can do.
They can call the delivery company and ask what to do with the parcel if the checks were not aligned.
The company can then let the recipient know whether to take no action, to quarantine the package, or to reject it.
The delivery company will now want to know why their package was not delivered and what went wrong.
Was the package compromised while in transit? Did someone clone the delivery vehicle, and if so, where did the cloned vehicle come from if not from the delivery company?
This is where DMARC comes into play. DMARC tells the delivery company what happened to the package or email (SPF was aligned, but DKIM was only partly aligned) by creating a report about the entire process.
DMARC can help organisations identify what went wrong, and guide what corrective measures must be put in place to rectify the issue.
Most importantly, DMARC gives organisations the power to govern their email domains and have visibility over which emails are being sent on their behalf.
This allows security teams to quickly discover and halt any unauthorised emails being sent from their domains, protecting customers from potential exploitation by cybercriminals.
It also gives companies the ability to instruct companies receiving mails from them to reject the mail if security checks are not aligned.
In Mimecast’s State of Email Security 2020 Report, only 30% of South African respondents were using DMARC.
However, with the growing digitisation of everyday life, all organisations need to meet their moral obligation to keeping customers safe from exploitation by cybercriminals.
DMARC is an underused but highly effective tool in the fight against business email compromise and can help organisations maintain the trust of their customers, partners and suppliers.