Phishing — All That Your Brand Stands to Lose

Cyber-attacks faced by various global brands such as eBay, PayPal, Amazon find prominent reportage by media. By masquerading as a trustworthy entity, hackers attempt to obtain confidential information such as usernames and passwords, from unsuspecting targets, through an electronic communication. Commonly known as "phishing," this practice is typically carried out by "email spoofing," and, with growing frequency, these hackers are not just targeting eminent brands, but are also increasingly targeting SMBs.

As larger organizations fortify their guard by adopting security strategies to prevent these attacks, hackers are just moving on down the road to greener pastures, and softer targets.

India has emerged as the fourth most targeted country by phishing attacks, receiving 3% of the total attack volumes, according to a recent Fraud Report. In terms of phishing attacks worldwide on brands, India ranking third with a 7% share of the total volume. Phishing attacks have set the Indian enterprise back by approximately Rs. 328 crore.

Therefore, it is extremely essential for any organization to safeguard themselves from such risks. Smaller businesses tend to usually ignore these crimes as they assume they are not big enough in size to attract hackers' attention and therefore, do not proactively plan around their security strategies. Contrary to their assumption, while selecting their targets, hackers do not give much thought to the size of a company, they only think from the vulnerability point of view.

They can get plenty of loot from mounting a series of attacks on vulnerable small and medium-sized business, and then can use that data to launch an attack against a larger target. In the meantime, they have collected your employee and customer data, banking information and passwords, and compromised your brand.

Hackers are extremely skilled at using spoof to create an email message that appears like it is from a sender who is known to the recipient or trustworthy and tricks them to open it. They simply edit an email address to make it look like it came from the "sender's" email account, so that when it's opened, it can infect the recipient's system with malware, or provide a pathway for the hacker to steal credit card data, passwords and other personal and financial information.

Hackers are able to attack the recipient's system only because email does not support authentication. With this, it is possible for any criminal to send an email asserting to be from your organization. According to a recent report by Frost & Sullivan, 83 percent of companies in India are plagued by internal security breaches relating to loss of data or confidential information. Out of this, phishing is considered as the major form of cyber-attack as it constitutes 50 percent of the total percentage.

The report further states that while 42 percent of Indian enterprises face huge financial losses due to internal security breaches, 35 percent have to deal with problems of intellectual property rights.

In order to tackle this concern, 15 email services providers, financial firms and message security companies-including AOL Inc., Google Inc., Microsoft Corp., Return Path and Yahoo Inc.- founded DMARC.org, a working group to create standards to reduce the threat posed by phishing, spam and other messaging abuses. DMARC (Domain-based Message Authentication, Reporting and Conformance), which standardizes the way recipient email servers perform email authentication using SPF (Sender Policy Framework).

Many big organizations like Twitter, Amazon, eBay, Facebook, and PayPal have chosen DMARC to combat phishing and has been quite successful too. According to DMARC.org, Outlook.com reported a 50 percent drop in reported phishing in 2013, due, in part, to DMARC, and more than 25 million email messages spoofing PayPal were rejected during the 2013 holiday buying season.

DMARC is a trusted organization in providing visibility whether their email is authentication - proof that the email is being received from your own dominion and not some unauthorized or illegal site. Without DMARC, there is no visibility, and senders remain unaware of authentication problems because they have no way to get feedback about potential email spoofing, or to determine what to do with those emails - whether to block them or quarantine them somewhere.

As hackers target easier targets, it is imperative for business of all sizes to protect their brands from such threats by adopting DMARC. Although most people today know not to open questionable attachments or click on suspicious links, spoofers have become so good at what they do that their targets can be easily fooled into believing an email is legitimate.

As a brand, it is important to protect your email and restrict others from spoofing as it lets down your customers, who will stop relying any of your company's email. This way the company as a whole gets into a costly risk. By adopting DMARC, you can protect your customers against email spoofing, ensure they are getting your brand's legitimate messages, and help them to trust that when a message from your company appears in their inbox, it is a valuable email.

As you adopt DMARC, it's also important to include your third-party marketing vendors who send emailed marketing pieces such as newsletters to your customers on your behalf to setup SPF and DKIM.

Email has always been a vital tool of communication for businesses as it helps them in maintaining their existing customer relationships and develop new ones. Unfortunately, it's also a widespread target for cybercriminals to cause irreparable damage to a brand. Any time a successful technology is adopted, it breeds creativity in criminals.

As DMARC becomes more widely adopted, not just by large organizations, but also by small and medium-sized businesses, cybercriminals will look for other areas to exploit. Are you responsible for ensuring that emails sent on behalf of your company are legitimate, and not coming from a spoofer? Do you have a fiduciary responsibility to customers who are negatively impacted by a spoofer's email appearing to be from your company?  Let's assume you are a nation state issuing currency to be used by citizens. Is the government responsible for ensuring the currency cannot be easily counterfeited? If the answer is yes, then the same goes for your corporate email, too.

It is pertinent to prevent spoofers from hampering a customer's trust in your brand. DMARC must therefore be adopted and email authentication standards should be implemented. It is only through these measures that an organization can avoid cyber- attacks and strengthen its brand promise.