Protecting data from malicious phishing attacks

By Robert Holmes, General Manager of Email Fraud Protection at Return Path

IT security stories are increasingly in the news. Cases of hacking practices, data theft and the importance of protecting that information are constant topics in daily news outlets. Email marketing remains one of the most valuable internet services, however, it is extremely vulnerable and prone to malicious attacks.
These attacks, which aim to obtain sensitive and important data, can cause great damage to companies, such as fraud losses, call center expenses, repair costs and reduction in the number of customers. One of the most common attacks on the web is phishing (to give you an idea, around 55% of UK and US companies have already fallen victim to this practice). With that in mind, Return Path has outlined some guidelines and best practices that help protect companies and their customers from becoming victims of these scams.
The first misconception that companies and individuals make is thinking that phishing emails are always easy to detect, due to bad spelling or errors in the message. This belief may be correct when phishing practitioners send obviously fraudulent messages to test subscribers for vulnerability, but in most cases, malicious emails are highly accurate, complex and sophisticated, and therefore very convincing.
From brand design and language tone to small print[i], phishing messages are crafted to look as legitimate as possible to trick people. As such, the use of business solutions needs to be comprehensive and as accurate and sophisticated as these email threats. Companies should focus on multi-layered solutions that eliminate the problem when possible and reduce the impact of attacks as soon as possible.
What can companies do to protect their brand and customers?
1. Email authentication and governance: this is the first line of defense against any phishing attack. Authenticating all outgoing mail with DKIM (Domain Keys Identified Mail) [ii] and SPF (Sender Policy Framework) [iii] is the only way to validate your sending identity and assure providers that they can block unauthenticated messages . These authentication standards are crucial to providing providers with more than enough proof that your email is legitimate, something that anti-spam filters don't always get right. We've already seen obvious phishing attacks get past ISP filters, and in one case, less than 7% of the fraudulent messages were identified.
2. Implement DMARC: DMARC (Domain-based Message Authentication, Reporting and Conformance) is a policy specification that tells providers what to do with messages that do not pass authentication. By referencing a DMARC sending policy, companies can indicate that their messages are DKIM and SPF protected. With DMARC, then, guesswork is eliminated, as is the impact of phishing.
3. Preventive blocking: establish and enforce blocking policies for major email providers to prevent phishing attacks before they even reach users. When a brand adds its sending domains to an authentication registry, providers can block all unauthenticated messages to leverage their domains.
4. Proactive protection: Companies must proactively monitor their email flows to ensure complete threat visibility. DMARC provides companies with reports on every email that does not pass authentication providers, creating a clear picture of messages sent from their domains that could be fraudulent. Using secure domain software to set up real-time alerts allows companies to become aware of any suspicious messages in their email streams. The sooner an attack is identified, the better: the most important time of an attack is the early hours, when people are most likely to respond.
5. Education: Companies should publish notices and guidelines that state how they will communicate with their customers, for example, noting that account information is never requested via email.
6. Preparation: Companies should have a plan in place to deal with phishing messages that spoof their domains. This may include:

7. Align marketing and IT security teams: Marketing and IT teams can and should work together to better protect the company and its customers from phishing attempts and attacks. IT security personnel have good insight into traffic and activity monitoring, as well as stay up-to-date on any fraud or threats that pose a business concern. As the marketing team crafts email campaigns, your people are fully aware of the legitimate messages and what users engage with. In addition, this team has an overview of all domains that are used by the company, so they would be able to quickly identify which domains were misused in an attack. With both teams working together, companies will have the means to better plan, identify and respond to the increasingly complex threats present today, through the sharing of knowledge, visions and experiences.
Phishing attacks that steal information are one of the biggest threats to keeping users' trust today. Through the use of correct technology and information, companies can effectively combat increasingly sophisticated attacks. By gaining an overview of the flow of outgoing emails and using data intelligence, brands can identify phishing threats and take appropriate action against them, even before they have a chance to have a serious impact.

[i] Part of the email containing reservations and qualifications, usually edited in small font
[ii] DKIM (DomainKeys Identified Mail) is also an email validation system that aims to detect email fraud and provides methods of validating domains that are associated with a message through cryptographic authentication
[iii] SPF (Sender Policy Framework) is an email validation mechanism, whose objective is to detect spoofing practices from a list of authorized sending domains