Top Five Ways to Avoid Email Spoofing Attacks
- Written by Guy Hanson, Vice President Customer Engagement at Validity Inc.
COVID-19 has had an immense impact on the email landscape, and in particular on email marketing. Email send volumes have increased dramatically thanks to businesses turning to email as their preferred channel to interact with customers during uncertain times. And with the onset of the Omicron variant, this heavy reliance on email is unlikely to ease any time soon.
Unfortunately, in tandem with increased send volumes, the number of domain spoofing attacks has also grown significantly, with scammers capitalising on the chaos caused by the pandemic. In fact, during the height of the pandemic in 2021, spoofing attacks were up 220% compared to the yearly average.
Spoofing is the forgery of the identity of an email sender, so the message looks like it comes from a legitimate source. While this may sound simple, it’s a complex issue that can challenge even the most experienced marketing professionals. There are various forms of spoofing, with the most common attack style being domain spoofing – an attack where scammers use a reputable brand name to mislead subscribers into providing personal or sensitive data.
How seriously should marketers take spoofing?
Research shows that 90% of cyber-attacks start with an email, so it’s email marketers’ job to protect subscribers. Spoofing attacks have far-reaching impacts beyond potentially harming subscribers. They also pose significant risks to brand reputation and subscriber trust, can decrease revenue, and damage deliverability, all of which I’ll discuss in more detail below.
Reputation loss. To be a successful business, building and maintaining subscriber trust is vital, as it’s trust built over time that builds a positive brand reputation and encourages customers to share their personal information. Scammers try to capitalise on the trust established by businesses by imitating their branding, logos and language. To protect subscribers and help ensure they continue sharing valuable data with you, marketers need to do everything possible to ensure safe online interactions. Failure to do so will result in subscribers losing trust in your brand and being less likely to engage with legitimate content you send - 42% less likely according to InfoSec.
Revenue loss. Unsurprisingly loss in brand reputation and trust can rapidly transfer to loss in revenue. The 2019 Thales Access Management Index found that domain and website spoofing led to $1.3 billion in losses in a single year. This doesn’t take into account the additional costs incurred investigating and managing attacks, as well as any necessary upgrades and training off the back of this.
Deliverability. Spoofing attacks can also impact email deliverability and placement within the inbox, as customers are less willing to open a marketing email after experiencing an attack. Furthermore, the mailbox provider (MBP) may register your legitimate message as spam following an attack and fail to deliver it entirely. Validity found that following a spoofing attack, inbox placement and read rates dropped significantly for MBPs including Gmail and Yahoo.
How can marketers avoid spoofing?
Authenticate. The best way to prevent attacks is through email authentication. Authentication refers to a range of protocols such as SPF, DKIM and DMARC that security vendors use to ensure IP addresses are authorised to send emails from approved domains.
SPF works by recording which IP addresses are authorised to send emails on behalf of domains. If your IP address is known by the MBP, security mechanisms will be less likely to identify your email as spam. But if a spammer forges an email, SPF will reject this based on its unauthorised origin as it’s coming from an unknown IP address.
DKIM is an authentication process that adds a digital signature to each email sent. MBPs, filtering companies and antispam vendors then use DKIM to identify whether the email has been altered or corrupted during transit. MBPs that successfully validate the signature can use information about the signer to protect them from spoofing and phishing attempts in future.
You can think of SPF and DKIM as the building blocks that need to be in place first so that DMARC can work its magic. DMARC addresses exact-domain spoofing and phishing attacks by preventing unauthorised use of a domain in the “From” address of email messages. Importantly, DMARC allows senders to choose how unauthorised or suspicious content should be treated by the MBP, i.e. whether to take no action, send the message to the quarantine folder, or block it completely.
Without implementing SPF or DKIM first though, a business can’t publish the DMARC record that provides instruction to participating MBPs to quarantine or reject fraudulent traffic.
Monitor for fraudulent activity. DMARC isn’t a question of set and forget. Businesses need to continually monitor for new threats, which can be a time-consuming task. Fortunately, there are tools like Everest’s ‘Infrastructure’ module, which enable users to proactively stay on top of blocklists, spam traps, and other critical reputation signals.
Implement BIMI. It’s well established that when recipients recognise the brand sending an email, they’re much more likely to open the message, with the primary driver (68%) for opens ‘recognising the sender’. By implementing DMARC (as explained above), marketers can also install Brand Indicators for Message Identification (BIMI). BIMI automatically displays your logo next to your emails in recipients’ inboxes, indicating to them who it is from and that it is safe to open – boosting recognition and likelihood to engage.
Beware of new tactics. Unfortunately for businesses, scammers are continually coming up with new ways to launch spoofing attacks, which marketers need to remain on top of. For example, a new tactic we’re set to see more of this year is email bombing. This occurs when scammers access personal data and immediately subscribe the hacked address to hundreds of email programs. The sudden bombardment of emails creates a diversion, burying genuine alert emails informing customers their information has been stolen.
Articles like this one provide steps on how to prevent email bombing, and marketers should subscribe to a number of trusted information sources to keep on top of these trends and protect their customers.
Educate customers. A less technical but equally important way marketers can help ensure their customers don’t fall victims to spoofing attacks is through education. Banks do this well, regularly
reminding customers that they won’t ever send an unsolicited request for personal data and will always include some unique personal data that fraudsters would be unlikely to have access to in their emails. Marketers should devise their own communications explaining what they will and won’t ask customers for, and red flags to look out for.
Senders often aren’t aware of spoofing attacks until it’s too late, therefore implementing email authentication before an attack takes place is crucial. While the steps outlined above may sound like a lot of work, an email success platform like Everest will simplify the process and present the information in an easy-to-read dashboard.
With more than three billion domain spoofing emails sent every day, marketers simply can’t afford to risk hard earned subscriber trust and brand loyalty by failing to protect their email programs. So use the beginning of a new year to secure your email program and avoid headaches down the road.