Don't look now, but a growing number of phishing attacks are luring in your customers—by impersonating your brand.
As if all the spear-phishing attacks against your company weren't bad enough, just wait until you see the scams targeting your customers with email messages appearing to come from your brand.
With impersonation attacks surging in recent months, some are wondering: Is DMARC email security really the answer?
The Imitation Game
According to press reports, there have been more than 12,000 unique phishing attempts impersonating brands like Netflix, Citibank, Booking.com, Alaska Airlines and others just since May. Fake trip alerts, World Cup tickets and "security incident" ploys have figured prominently in these fraudulent messages.
In the UK, TSB saw a 70X increase in brand impersonation attempts after the bank suffered a major technical glitch while migrating customer accounts to a new platform. Messages purporting to come from the bank targeted concerned customers about their accounts. More than 1,300 customers fell for the tactic, with some customers reporting as much as £20,000 stolen from their accounts.
While social media has seen an 11X increase in such attacks since 2014, 80% of all malicious impersonation cons focus on your most valuable outbound communications channel: email.
Over the last few years, Domain-based Message Authentication, Reporting and Conformance (DMARC) has emerged as an effective way for brands to prevent fraudsters from spoofing their domains for these kinds of phishing attacks.
But that's only if it's done right.
From Trust to Dust
For all the excitement sparked by channels like social media, SMS and instant messaging, email still reigns supreme as the one indispensable customer communications channel.
According to McKinsey, email is 40X more effective at acquiring new customers than social media. And 72% of consumers say they prefer email as their primary mode of communication with businesses. In all, companies generate an ROI of $44 for every $1 spent—by far the highest of any digital medium.
But its effectiveness is dependent on one thing above all else: trust.
Think about it. From collecting and storing contact info, to carefully nurturing the content and cadence of email outreach, to prompt and efficacious customer support, email is the digital lifeblood of customer relationships built on credibility and respect.
But it's all vulnerable to cybercriminals posing as your brand to fool customers into making fraudulent payments or revealing sensitive information—including login credentials for banking, healthcare, retail and more.
When word gets out, who will these victims blame? Whose emails will customers avoid because of bad publicity?
Think your brand is safe? Think again.
DMARC to the Rescue?
The fact is, 90% of all companies have experienced domain name fraud or unauthenticated email traffic over the last six months—whether they know it or not, according to a new report from Agari and Farsight Security. That includes 92% of the Fortune 500.
That's where DMARC-based email security comes into brand protection efforts. For those unfamiliar with the term, DMARC is an open standard that helps ensure only authorized senders can use an organization's domain name in emails, driving down phishing rates to near zero.
DMARC is designed to authenticate outbound emails claiming to come from your company, across the entire email ecosystem. That includes various business units, third-party vendors, email distribution partners—and threat actors looking to exploit your carefully tended brand equity.
The problem: Only 27% of global firms that have adopted the standard are using it to enforce anti-impersonation schemes.
Even fewer use the kind of advanced machine learning needed to make full use of DMARC to detect and disrupt phishing emails that leverage the domains they own—or the globally-crowdsourced threat intelligence required to protect against the use of lookalike domains they don't.
Even worse? A full 90% of all Fortune 500 companies have zero protection against any of these kinds of attacks at all.
Protecting the Extended Perimeter
Throughout this series, we've been discussing identity as the new perimeter for cybersecurity. When it comes to brand protection against outbound malicious impersonation, this perimeter extends far beyond a business's four walls, right into their customers' homes, businesses, even their pockets.
Of course, whether the current surge in identity deception-based attacks will accelerate adoption of DMARC-based email security remains to be seen.
But with phishing attacks expected to contribute to more than $12 billion in losses in the US this year, we'd all better hope those that don't will find some other way to protect their company and their customers.
Identity is the New Perimeter (Final of a 4 Part Series)Previous blog in the Series
To learn more about DMARC email security and best practices for preventing outbound brand impersonation attacks, download an exclusive guide, 'Getting Started with DMARC,' here.
