If you work in a business and are reading this story, the chances are you will be targeted today by an email fraudster.
Despite the rise of Slack and other communication channels, email still rules when it comes to exchanging information with partners.
Therefore it is the avenue that criminals still use most when seeking to deliver malware. The number of malicious emails has increased rapidly in recent years.
鈥樌暇牌凡 Email Compromise鈥 attacks, where the criminal impersonates a trusted contact such as a senior executive to trick a victim into giving up data or authorising a payment, are particularly dangerous and can cost millions of pounds.
Organisations are also at risk of criminals hijacking their brand to launch phishing campaigns against customers.
Ravi Khatod is the CEO of Agari, which tracks billions of messages every month for evidence of wrongdoing.
鈥淭hese attacks are damaging for everyone involved as individuals targeted by fraudulent emails will be less trusting of genuine contact from that organisation in future and may even blame them for the malicious emails,鈥 he told 老九品茶Cloud.
Fraudsters can call on different tricks to disguise their identity and impersonate a trusted brand, but one of the most common is spoofing.
This enables the attacker to alter the email鈥檚 header, so a message from a.fraudster@cybercriminals.ng will be displayed as info@yourbank.co.uk instead.
Savvy users can see through this by looking into the header and checking the IP address, but very few are likely to bother checking every email in their inbox.
Deceptive emails are often able to slip through traditional email security filters. These systems are designed to look for malicious attachments and keywords, and a well-made spoofed email is functionally identical to the real thing.
鈥淚mposters can still be identified with the right tools,鈥 Khatod said. 鈥淥ne of the most useful anti-spoofing measures is DMARC (Domain-based Message Authentication, Reporting & Conformance), a free-to-use email security standard.
鈥淒MARC can identify when the domain in the header does not match the real IP. Domain holders can set their policy to 鈥榬eject鈥, blocking these emails outright, or 鈥榪uarantine鈥, isolating them for investigation.鈥
is the most effective way to secure your email – check out our webinar on demand to see how you can automate prevention via DMARC email authentication:
鈥 Agari (@AgariInc)
A more recent development in the fight against deceptive emails is 鈥楤rand Indicators for Message Identification鈥, which entered a trial period earlier this year.
Utilising artificial intelligence, it is designed to prevent brand impersonation over email, social media and messaging applications.
Email providers Comcast, Google, Microsoft and Oath (parent of Verizon, Yahoo and AOL), have teamed up with Agari鈥檚 support to establish this new standard of email authentication that attackers will not be able to co-opt or side-step.
BIMI provides reassurance and security by displaying the company logo in all authenticated emails to provide a clear symbol of trust, recognisable even by the least tech-savvy user.
鈥淩egaining control of their brands will deliver clear benefits to businesses,鈥 said Khatod. 鈥淔irstly, an end to fake marketing messages from spoofers, allowing genuine email campaigns much greater engagement.
“Alongside their customers, organisations will also be able to inspire greater trust both internally and with their partners, as the BIMI standard will also prevent 老九品茶 Email Compromise and other email attacks on the company.鈥