Business Daily Media

Top Five Ways to Avoid Email Spoofing Attacks

  • Written by Guy Hanson, Vice President Customer Engagement at Validity Inc.

COVID-19 has had an immense impact on the email landscape, and in particular on email marketing. Email send volumes have increased dramatically thanks to businesses turning to email as their preferred channel to interact with customers during uncertain times. And with the onset of the Omicron variant, this heavy reliance on email is unlikely to ease any time soon.

Unfortunately, in tandem with increased send volumes, the number of domain spoofing attacks has also grown significantly, with scammers capitalising on the chaos caused by the pandemic. In fact, during the height of the pandemic in 2021, spoofing attacks were up 220% compared to the yearly average.

Spoofing is the forgery of the identity of an email sender, so the message looks like it comes from a legitimate source. While this may sound simple, it’s a complex issue that can challenge even the most experienced marketing professionals. There are various forms of spoofing, with the most common attack style being domain spoofing – an attack where scammers use a reputable brand name to mislead subscribers into providing personal or sensitive data.

How seriously should marketers take spoofing?

Research shows that 90% of cyber-attacks start with an email, so it’s email marketers’ job to protect subscribers. Spoofing attacks have far-reaching impacts beyond potentially harming subscribers. They also pose significant risks to brand reputation and subscriber trust, can decrease revenue, and damage deliverability, all of which I’ll discuss in more detail below.

Reputation loss. To be a successful business, building and maintaining subscriber trust is vital, as it’s trust built over time that builds a positive brand reputation and encourages customers to share their personal information. Scammers try to capitalise on the trust established by businesses by imitating their branding, logos and language. To protect subscribers and help ensure they continue sharing valuable data with you, marketers need to do everything possible to ensure safe online interactions. Failure to do so will result in subscribers losing trust in your brand and being less likely to engage with legitimate content you send - 42% less likely according to InfoSec.

Revenue loss. Unsurprisingly loss in brand reputation and trust can rapidly transfer to loss in revenue. The 2019 Thales Access Management Index found that domain and website spoofing led to $1.3 billion in losses in a single year. This doesn’t take into account the additional costs incurred investigating and managing attacks, as well as any necessary upgrades and training off the back of this.

Deliverability. Spoofing attacks can also impact email deliverability and placement within the inbox, as customers are less willing to open a marketing email after experiencing an attack. Furthermore, the mailbox provider (MBP) may register your legitimate message as spam following an attack and fail to deliver it entirely. Validity found that following a spoofing attack, inbox placement and read rates dropped significantly for MBPs including Gmail and Yahoo.

How can marketers avoid spoofing?

Authenticate. The best way to prevent attacks is through email authentication. Authentication refers to a range of protocols such as SPF, DKIM and DMARC that security vendors use to ensure IP addresses are authorised to send emails from approved domains.

SPF works by recording which IP addresses are authorised to send emails on behalf of domains. If your IP address is known by the MBP, security mechanisms will be less likely to identify your email as spam. But if a spammer forges an email, SPF will reject this based on its unauthorised origin as it’s coming from an unknown IP address.

DKIM is an authentication process that adds a digital signature to each email sent. MBPs, filtering companies and antispam vendors then use DKIM to identify whether the email has been altered or corrupted during transit. MBPs that successfully validate the signature can use information about the signer to protect them from spoofing and phishing attempts in future.

You can think of SPF and DKIM as the building blocks that need to be in place first so that DMARC can work its magic. DMARC addresses exact-domain spoofing and phishing attacks by preventing unauthorised use of a domain in the “From” address of email messages. Importantly, DMARC allows senders to choose how unauthorised or suspicious content should be treated by the MBP, i.e. whether to take no action, send the message to the quarantine folder, or block it completely.

Without implementing SPF or DKIM first though, a business can’t publish the DMARC record that provides instruction to participating MBPs to quarantine or reject fraudulent traffic.

Monitor for fraudulent activity. DMARC isn’t a question of set and forget. Businesses need to continually monitor for new threats, which can be a time-consuming task. Fortunately, there are tools like Everest’s ‘Infrastructure’ module, which enable users to proactively stay on top of blocklists, spam traps, and other critical reputation signals.

Implement BIMI. It’s well established that when recipients recognise the brand sending an email, they’re much more likely to open the message, with the primary driver (68%) for opens ‘recognising the sender’. By implementing DMARC (as explained above), marketers can also install Brand Indicators for Message Identification (BIMI). BIMI automatically displays your logo next to your emails in recipients’ inboxes, indicating to them who it is from and that it is safe to open – boosting recognition and likelihood to engage.

Beware of new tactics. Unfortunately for businesses, scammers are continually coming up with new ways to launch spoofing attacks, which marketers need to remain on top of. For example, a new tactic we’re set to see more of this year is email bombing. This occurs when scammers access personal data and immediately subscribe the hacked address to hundreds of email programs. The sudden bombardment of emails creates a diversion, burying genuine alert emails informing customers their information has been stolen.

Articles like this one provide steps on how to prevent email bombing, and marketers should subscribe to a number of trusted information sources to keep on top of these trends and protect their customers.

Educate customers. A less technical but equally important way marketers can help ensure their customers don’t fall victims to spoofing attacks is through education. Banks do this well, regularly

reminding customers that they won’t ever send an unsolicited request for personal data and will always include some unique personal data that fraudsters would be unlikely to have access to in their emails. Marketers should devise their own communications explaining what they will and won’t ask customers for, and red flags to look out for.

Conclusion

Senders often aren’t aware of spoofing attacks until it’s too late, therefore implementing email authentication before an attack takes place is crucial. While the steps outlined above may sound like a lot of work, an email success platform like Everest will simplify the process and present the information in an easy-to-read dashboard.

With more than three billion domain spoofing emails sent every day, marketers simply can’t afford to risk hard earned subscriber trust and brand loyalty by failing to protect their email programs. So use the beginning of a new year to secure your email program and avoid headaches down the road.

Business Reports

EOFY explainer: Everything your business needs to know about the instant asset write-off

Australia has long been renowned as a rich and vibrant small business nation, where entrepreneurialism is encouraged and celebrated. It has, however, been a challenging period for small business owners, and the transition from o...

Brand Expert Shines in Business Awards

Sydney multipreneur Zahrina Robertson, who is known for producing world-class visual assets, has been named a finalist in the North Shore Local Business Awards. The founder of Zahrina Photography & Video[zahrinaphotograph...

New Image acquires Nutrimetics from Tupperware Brands

New Image Group has acquired skincare and cosmetics brand Nutrimetics from Tupperware Brands Corporation (NYSE: TUP) for an undisclosed sum. Nutrimetics is a natural fit with New Image’s portfolio of health and nutrition prod...

Save, spend or invest? New offering allows Aussies to maximise their savings

With the turn of a new financial year, Australians are at a loss of how to make the most of their tax refunds this year with rising costs of living and low return on savings. The Australian Investor Sentiment Report 2022 reve...

Commercial Painting Revitalised Shop Fronts and The Economy – Why Did the Funding Dry Up?

State governments provided retailers with grants to revitalise their shop fronts in a bid to help the ailing industry. The $2000 - $10000 grant aims to ‘add a lick of paint” and some street appeal to retail outlets not onl...

How to Succeed as a Call Center

If you aspire to build a productive and prosperous call center, you need to begin from the zenith or top. After all, your workforce won’t be able to create a positive experience for your customers if they’re not managed pr...

Web Busters - Break into local search

WebBusters.com.au