Cybercriminals go where the money is. Banks, credit unions, brokerage and insurance companies, and financial advisors are prime targets for email-borne brand spoofing. Yet, only 8% of financial institutions globally have protected their email domains against phishing and BEC attacks by deploying DMARC. The FBI has estimated that, between 2013 and 2018, BEC attacks generated $12.9 billion is losses globally — with $2.9 billion being stolen from U.S. banks alone. In the past, misspellings, nonsensical information and shoddy design made phishing attacks easier to spot, but today’s networked cybercrime groups produce what look like highly credible, targeted emails that are virtually indistinguishable from authentic emails. These attacks expose financial institutions to legal and financial liability, reputational damage and cybersecurity risks like network compromise, data loss and digital asset exfiltration. DMARC helps financial enterprises prevent these devastating outcomes by protecting email domains from being spoofed in phishing attacks, while also increasing legitimate email deliverability.
DMARC (Domain-based Message Authentication, Reporting and Conformance) is the best way for email senders and receivers to determine if a given email is authentic or an illegitimate spoof. Created by PayPal, Yahoo! and Microsoft in 2012, DMARC is an email validation system designed to protect organizations’ email domains from exploitation via email impersonation, phishing scams and other cyberattacks — while also increasing deliverability. By leveraging existing email authentication techniques SPF and DKIM, DMARC strengthens your domain’s fortifications against fraudulent use and adds greater visibility into cyber risk. With DMARC, domain owners are able to increase control of their brand’s online presence and ensure safe communication internally and beyond.
DMARC helps safeguard all channels of communication between your organization, partners and clients. Additionally, DMARC provides the following four value propositions:
Online brand protection:
You don’t need to be one of the world’s most well-known financial brands to have a target on your back. DMARC protects your institution’s integrity and client base by keeping your organization out of criminals’ arsenal of easily spoof-able email domains.
Increased email deliverability:
Legitimate emails with important financial information don’t belong in the spam folder. DMARC authentication signals to email receivers that your organization’s email are authentic, ensuring they’re delivered to the inbox instead of blocked or sent to the junk folder.
A published policy that instructs ISPs and other email receivers to deliver, quarantine, or delete emails:
With DMARC, you can decide if potential abuses of your email domain are reported back to you without further action, quarantined for further review or automatically blocked. The golden standard of DMARC is the “p=reject” policy.
Greater visibility into cyber threats:
Most organizations allow authorized third parties to send email on their behalf. In addition to blocking unauthorized senders, DMARC’s reporting capability enables you to monitor the “good spoofers” that send email on your behalf. This helps ensure compliance with security best practices and aids investigations into email security or phishing issues.
Email is the backbone of professional communication globally. Unfortunately, it’s also the starting point for 95% of cyberattacks. The hard secret of email is that because it is so easy to set up, it’s just as easy for cybercriminals to create fake email accounts that exploit your organization’s email domains. This has allowed cybercriminals to send spam, phishing emails and malware using the brands and identities of the world’s most reputable financial services. In doing so, bad actors inflict direct losses on customers and companies, as well as tarnish brand equity established over years of trustworthy service. Because financial enterprises rely so heavily on credibility and trust, any association with criminal phishing campaigns can be devastating — especially when they could have been prevented by enforcing stricter security standards like DMARC.
While cyberattacks against financial institutions can take many forms, they most commonly start with a type of phishing attack called business email compromise (BEC). The majority of BEC attacks use fake sender identities to pose as trusted financial institutions and their employees, often putting organizations’ actual domain names in the ‘from:’ field of their emails. Under these false pretenses, cybercriminals target customers, partners, the general public and even the organization’s own employees. 80% of financial institutions lack the security technology needed to detect and reject these sophisticated attacks, thus impacting financial institutions’ bottom line by the billions of dollars in previous years. The FBI estimated $12.9 billion in losses as a result of BEC attacks globally in the span of five years.
The financial services industry was the #1 most impersonated industry by phishers in 2019, according to Help Net Security. And it’s not just the big guys that get impersonated — smaller banks are increasingly targeted by cybercriminals as well. The more your brand is targeted for brand abuse by attackers, the more ROI you can receive from a DMARC implementation. DMARC mitigates the financial loss, legal troubles and logistical hassles associated with falling victim to a successful phishing attack — such as reimbursing people who have been defrauded, engaging a fraud team, taking down offending sites, resetting compromised passwords, or bringing in a service provider to remediate. Plus, bad press coverage from a successful brand impersonation can seriously harm brand reputation and lead to loss of business. Given the abundance of banking options available to customers today, no financial institution can afford to leave itself vulnerable to email spoofing. In addition to being an anti-phishing mechanism, DMARC is also a legal compliance tool and a way for marketing teams to increase email deliverability.
Ready to protect your brand? Let’s get started. In order to achieve maximum return on your DMARC investment, financial institutions must complete the necessary steps to implement DMARC correctly. Mimecast embarked on our own journey to enforce DMARC across all of our owned domains in 2020, and the project was documented in a three-part blog series for other organizations to use for reference. A key takeaway: while DMARC is an important aspect of any email security program, it is not a standard that can be deployed, configured, activated and then left alone. Once your organization has successfully achieved a DMARC policy of “p=reject,” it’s crucial that, as with many cybersecurity tools, you establish a program of ongoing monitoring. You may have to tweak your DMARC settings when deploying new, legitimate email senders, for example. Plus, the online threat landscape is not static, so your cyber defenses can’t be either.
