The economy is firing on all cylinders today, and so is cybercrime aimed at financial institutions. According to an Agari study, the average number of cyber attacks per banking institution rose to 520 during the first half of 2018, compared to 207 per bank during the same period last year.
While these assaults take many forms, they almost always start with “business email compromise” (BEC) attacks or “phishing” and other advanced email threats. 80 percent of financial institutions lack the security technology to detect and block increasingly sophisticated BEC attacks against their employees—let alone those targeting their customers. This has impacted banks where it counts…their bottom line. The FBI has estimated that BEC attacks between October 2013 and May 2018 generated $12.5 billion in losses globally. In that same period, they estimated that approximately $2.9 billion was stolen from U.S banks alone. We are all aware of the media firestorm that occurs following these attacks. Given the many banking options available to customers today, no institution can afford to ignore these incidents.
In response to this problem, the Domain-based Message Authentication, Reporting & Conformance (DMARC) email security protocol was developed six years ago by major email providers, e-commerce companies, and social media networks to block fake emails or have them marked as spam. According to the Global Cyber Alliance, the top five U.S. banks have all adopted DMARC. However, only 11 of the 50 fastest growing community banks in the country have done so. In Europe, only 9 of the top 50 banks have deployed the technology. Canada’s ‘Big Six’ nationally chartered banks are only slightly better – with two having fully implemented DMARC, three in process and one outlier according to dmarcian’s phishing scorecard.
The same study above stated that an additional 22 banks in the U.S. and 10 in Europe were beginning the implementation. Surprisingly, cost is not really an issue. Costs for DMARC registration and monitoring are largely internal and less than $0.25 per user/month or a few thousand dollars for a bank according to a CenterState article. If cost is not the issue, why aren’t banks implementing this effective protection? While the benefits from DMARC are obvious, implementation is often complicated. According to Return Path, here are three challenges and how best to prepare.
Challenge 1: Identifying the Right Resources
Email security is not the responsibility of a single person or team. Staff typically involved includes security, fraud prevention, marketing, incident response, DNS administrators, 3rd party vendors, and others. Getting the appropriate staff and resources assigned to a DMARC project is crucial.
Challenge 2: Email Ecosystems
Email is complex. Organizations often have different business units using their own unique email addresses, which makes it difficult to uncover authentication issues. DMARC’s “monitor” mode enables the email team to make informed policy decisions and understand which messages are authenticating, or not.
Challenge 3: When to Enforce
Knowing when to enforce the policy – moving from simply monitoring to rejecting or diverting emails – is an important decision for a company. The answer depends on the domain. All companies have different kinds of email. Promotional, such as a newsletter, transactional based on a user’s actions, such as signing up for a new banking product, regulatory, and others, that all need to be treated differently. A company’s email team needs to conduct an analysis of all email domains, prioritize them and determine the risk and impact of email deliverability to the business.
Follow the Money
Criminals are most interested in where the money is, and so financial institutions (banks, credit unions, brokerage and insurance companies, advisors) are prime targets for phishing. In the past, phishing attacks were pretty obvious, with misspellings or nonsensical information that gave the criminal intent away immediately. Today, networked cybercrime rings are armed with rich information from social media and can produce highly credible, targeted emails that are virtually indistinguishable from messages sent by a trusted colleague, lender, or banking brand. The attack can involve weeks of building trust in order to gain valuable corporate information from an employee or consumer.
Right now you may be thinking, “Email? We have malware and anti-virus systems in place already. Can it really be such a big threat?” The problem is that criminals today focus on identity fraud and take advantage of the ubiquity of email, still the most prevalent customer engagement tool today. What’s more, It is easy for anyone – criminal or consumer – to investigate if a given institution is using DMARC. Simply go to the DMARC website. This is how banks make themselves especially vulnerable.
Brief History of Email Security
To combat email cybercrime efforts, email security and authentication tools evolved in the early 2000s. SPF (Sender Policy Framework), and DKIM (DomainKeys Identified Mail) were introduced to protect the email channel, both standards that enable different aspects of email authentication:
- SPF allows senders to define which IP addresses are allowed to send mail for a particular domain.
- DKIM provides an encryption key and digital signature that verifies that an email message was not faked or altered.
- DMARC unifies the SPF and DKIM authentication mechanisms into a common framework and allows domain owners to declare how they would like email from that domain to be handled if it fails an authorization test.
The Global Cyber Alliance states that financial organizations that deploy DMARC can stop spammers and phishers from using their name to trick unsuspecting customers and conduct cyber attacks. DMARC provides insight into any attempts to spam or phish using an organization’s email. It is supported by 85 percent of consumer email inboxes in the United States (including Gmail, Yahoo, and Microsoft), and more than 2.5 billion email inboxes worldwide.
|About 70 percent of organizations fail to get DMARC to a reject or quarantine setting — and that ratio is roughly the same for the largest enterprises as it is for small and medium-size businesses.|
How Does DMARC Work?
DMARC ensures that legitimate email is properly authenticated against established DKIM and SPF standards. Senders can either:
- Monitor all mail to understand their brand’s email ecosystem without impacting the delivery of messages that fail DMARC.
- Quarantine messages that fail DMARC and redirect them to a spam folder.
- Reject messages that fail DMARC and divert them entirely from an inbox.
We Can Help
This is where SparkPost comes in. We are email experts, and we help financial services companies define and implement robust email security, including SPF, DKIM, and DMARC. In fact, we deliver all our customers’ email through these tools. Enterprises that require the highest performance – deliverability, uptime, analytics, and scale come to us. Check out our customer base here.
The financial services sector is by nature, conservative, in particular when it comes to adopting new technologies. The benefits DMARC provides—granting visibility into your email and protecting your customers and your brand from email fraud—far surpass the initial challenges of implementation and minor cost. Reach out to us, and let’s discuss your company’s security concerns. We would be happy to have one of our industry experts discuss your options.
Ready to learn more about DMARC and email authentication? Here are a few resources:
- Introduction to Email Authentication in the SparkPost Academy
- Email Security in the Era of the Cloud: A brief for business executives
- DMARC FAQ
- Free SparkPost tools: DKIM Validator & SPF Checker