65% of US businesses were the victim of a successful phishing attack, which is 10% higher than the global average. While companies can put in software-based cybersecurity measures and managed I.T. services, which greatly mitigate the risk of damage due to phishing, it still continues to be a major source of user error-related data breaches. Humans can be tricked much more easily than an anti-malware app. That’s why hackers continue to use phishing as their “go to” method of delivering all types of cybersecurity threats. The FBI saw a 400% increase in cyberattacks this year due to the pandemic.
One of the tricks that phishing attackers use to trick recipients into believing a phishing email is real is called “email spoofing.” This is when they use a legitimate email address in the “From” area of an email message, but the email is not actually being sent from that company.
For example, your accounting person might receive a strange email purporting to be from your bank asking them to do an account password reset. They look at the email address in the From line, and it’s from the bank’s actual email domain (@name.com address), or at least it appears to be.
This causes them to trust the phishing email and click the link, compromising the company’s bank account details.
Email spoofing can also be done on your own company’s domain. Hackers will use this trick when sending emails to your employees, customers, or vendors.
The use of email spoofing in phishing attacks has become such a problem, that Microsoft recently added anti-spoofing measures in Exchange Online Protection.
Using Email Authentication to Combat Email Spoofing
One of the ways that Microsoft’s anti-spoofing protection works is to use email authentication. Email authentication is a series of three protocols that can be applied to any mail server. It basically verifies that the email in the “From” line is legitimately where the email was sent from.
Emails that don’t make it through the authentication protocols can be sent to a quarantine or spam folder or bounced, depending upon your settings.
Email authentication uses three layers of protection. Each of these three protocols serves a different purpose and they are designed to work together to protect your business from receiving phishing attacks that use email spoofing.
Using authentication for your email can also alert you if anyone is trying to spoof your email domain.
Here’s how email authentication works.
Step 1: SPF (Sender Policy Framework) The SPF authentication protocol is designed to add a TXT record to your domain’s DNS record. It identifies the mail server IP addresses that are allowed to send email for your domain name. When a hacker is using their mail server to send phishing emails, the IP address of that server is not going to be on the approved IP address list for your email domain, thus, it’s not going to pass the SPF email authentication. Your approved list of IP addresses that can send email for your company may include:
Your own email server or service (e.g. Microsoft Exchange)
Any third-party apps you use to send email, like Mailchimp or Salesforce
Step 2: DKIM (DomainKeys Identified Mail)
The next step in the process is the DKIM protocol. This one uses a set of keys, one of which resides on your mail server and another that is added to your email’s digital signature.
DKIM ensures those keys match after a message has been delivered, which confirms nothing has been changed during transit. It’s another double check that goes a bit deeper that lets the receiving mail server know the message was legitimately sent from your mail server and isn’t spoofed.
Step 3: DMARC (Domain-based Message Authentication, Reporting, and Conformance) DMARC is designed to bring the entire authentication process home by confirming to the mail server whether both SPF and DKIM have passed or not. It also can tell the receiving mail server what to do with the messages. For example, using DMARC, you can relay commands, such as:
Report back all messages that have or have not passed email authentication
Put messages that don’t pass authentication in a quarantine or trash folder