- Developer Hub
- SparkPost API
- Email Tools
- Slack Channel
- User Guides & Migrations
- Submit a Ticket
- SparkPost Academy
- Deliverability Guide
- Email Explained
- White Papers & Guides
- Webinars & Videos
- SparkPost vs. SendGrid
- Contact Us
Compared to many of my colleagues, I’m not super technical. I don’t know how to code. I can’t tell the difference between a router and a modem. And yet, I’m the “techy” person in my family. I’m the one my mom calls when her computer freezes up or when the wifi goes down. I’m the person my dad calls when he has a question about the newest money sharing app.
My parents are complete opposites when it comes to technology. My mom does not embrace technology and tends to shy away from it. As technology becomes much more complicated with all the new apps and devices, she is getting weary of all of the payment apps, or the cloud, and even communicating via text message.
My dad, on the other hand, embraces technology in every shape, size, and form. He’s always into the newest gadgets, latest apps, or recent features updates and stays on top of the latest tech trends.
Even though both my parents have completely different approaches to technology, I needed to find a way to explain how they can keep their devices safe from online security threats. Again, this is somewhat of a difficult task given I am not a super technical person. However, working in the tech industry and being around super technical co-workers, I have picked up a few tips to protect myself from online security threats and be able to better articulate the precautions to others.
Laptop and Email Security Threats
My mom has an iMac and has managed to get multiple viruses on it. Though nothing serious has resulted from these breaches, it means I’ve had to teach my mom how to protect herself when looking at emails. The first thing I told her is to use passphrases rather than passwords for all of her online accounts. Passphrases are longer than passwords but easier to remember, so she doesn’t have to write them down (a security concern in case anyone broke into her house). You can learn more about why passphrases are better than passwords here.
The second thing I’ve taught her is to be aware of online security threats received via email. If she receives an email from someone she doesn’t know, I’ve told her to treat it with caution. Especially if the email is asking for her to click on a link, download an attachment, or provide information like passwords, addresses, or phone numbers. If the email is asking for personal information that is a huge red flag and should immediately be reported as spam. If the email comes from someone she does know, I’ve taught her to think critically about why they would be asking her to click, download, or provide information. The best course of action is for her to contact the sender through an alternate means of communication and ask if the email is legitimate.
I have also taught my mom to look for links and downloads within the body of the email. Instead of clicking on links without hesitation, she now knows to hover her cursor over the link first. A small rectangular box should appear in the bottom left-hand corner of the browser window which shows the full URL (in browsers other than Chrome, a pop-up box may instead appear containing the full URL). Read this URL and make sure it makes sense and matches what the link and the body of the email says. The policy I’ve laid out for her regarding attachments is to not download an attachment unless she knows who it is from AND it’s something she is expecting.
Mobile Device Security Threats
My dad loves his phone and is always on it – he uses it more than his computer. He loves how technology has made his life easier and eagerly jumps on new apps for ride sharing, transferring money, paying for parking, you name it. While I’m glad to see he’s not shying away from new technology, it worries me that he’s compromising his security by downloading a ton of free apps, accidentally clicking on malicious ads, and not protecting his phone as well as he could.
Here are a few tips I’ve given my dad to help keep his phone and information safe. The first tip is to password protect your phone. It may seem obvious, but many people value convenience over security and enable “smart unlock” features that make it so phones don’t require a password when connecting to trusted networks such as his home wifi or car Bluetooth. Turning these features off, so devices require a password 100% of the time is a small step toward being more secure.
Another security threat to be wary of are random free app installs. There are some fantastic free apps out there, but there are also a lot of bad ones. I tell my dad to vet apps before installing them and to make sure they are from legitimate, verified sellers. He does this by reading reviews from multiple sources. Also, if an app asks for permission to use his camera, microphone, etc, I’ve advised him to think critically about why that app would want that access and only agree if he believes the app seller to be trustworthy.
One vital piece of advice I’ve given my dad (mainly because he is a tad forgetful and prone to losing things) is to download an app or use the phone’s built-in features that allow it to be tracked, locked, or wiped if it’s lost or stolen. The app he uses is called Find My Device by Google LLC. It allows him to locate his phone if he’s lost it in his house by causing it to make a sound as well as lets him track his phone and in the worst case scenario, wipe it if need be.
And last but not least, I’ve told my dad to be wary of open wifi networks. He does a lot of work in coffee shops, so he connects his phone to various networks all the time. I’ve told him to only connect to networks he trusts such as Starbucks’ free wifi and even then, never access banking websites on public networks.
There is no such thing as being too careful
Even though I’m not super technical, a lot of these things come naturally to me because I was raised on computers. It is also super helpful that SparkPost does security training once a year! My parents are in their sixties, and the only computer training they ever had was typing! At first, I thought all I needed to do to keep them safe from online security threats was to make sure they had secure passwords in place. But now, with the ever-growing plethora of scams out there, I’ve realized the importance of teaching them how to protect themselves. If you’re not super technical, and your loved ones are even less so like mine, I hope these tips will help you keep them safe out there in the online world.
2017 State of Email: What we Can Expect in the New Year
Entering 2017, email continues to thrive while sustaining a long transformation that it has been undergoing for quite some times – literally decades. Throughout 2016, email solidified its place in a world where users use many communications app simultaneously. Email is and continues to be the record of identity for transactions. Apps use email to reset accounts and services send the most important notifications through email. Furthermore, email is the only widely used cross-platform communication protocol that is free from proprietary control. This open nature is why email continues to thrive. With 2017, we’ll likely see these major trends around email continue:
Move to Transactional.
Email has had a long life – 45 years and counting – and during that time, the nature of its primary role has changed. For a time, email was the dominant form of personal communication over the internet. As other messaging platforms have become more predominant in personal communications, email has transformed to being the system of record. Indeed it is an email address that often underlies the user’s authentication & account recovery methods of the newer communication mediums.
With email standing behind most new internet services & account types, email continues to be one of the best ways that apps and services can reach out to users to engage and activate them. With this, email continues to be the foundation of many growth programs.
Becoming Phishing Proof.
Since email is how apps and services authenticate users around account changes, it is absolutely important that email continue its development to becoming phishing proof. Public cases in 2017 have shown how sophisticated attackers have gotten using email and the damage they can do. Email providers like Google and Microsoft achieved major milestones around DMARC during 2016. When “DMARC reject policies” are finally deployed by these and other providers, email will have gone a long way from taking the onus off the user to know when to trust a message.
Today’s users have many communications apps or services. While email has a well earned place here, it is not the only way that apps and services communicate with users. Apps continue to experiment with and see what is the best mix of notification types. In 2017, we’ll see apps get even smarter about notifications, where beyond sending the right message at the right time, they’ll also send on the right medium at that time.
If 2017 is like the years before it, users will receive & send many more messages than they did in 2016. When these messages are done smartly, they provide users with options and control of their communications.
– Josh Aberant
Thoughts on the 2017 State of Email? Drop us a line below.
Continuing on my new years resolution to share what I’ve learned and put those learnings into practice, I thought I’d dig into the subject of security. One of the things that I learned was that security is very important for everyone, but particularly for customers who are moving away from hosting their own infrastructure and entrusting their assets to a cloud provider. The learning is clear — but putting it into practice is the next step.
As it happens, a large number of features that we’ve rolled out over the past six months were, in fact, security related. This includes:
- Adding a maximum number of log-in attempts before the system times out.
- Two-Factor Authentication.
- Whitelisting API Keys allowed to inject messages.
- Implementing OAuth2 for Webhooks.
- Adding an option for Single Sign On (SSO) on SparkPost Elite accounts.
- Adding Roles-based access controls, more specifically a Reporting-Only role.
And those are just the customer-facing ones. We were looking at our overall cloud email security practices, even before hiring Steven Murray, our CISO. And he’s making changes — features, internal functionality, processes — to make sure security continues to be a high priority. For example, we’ve instituted intrusion detection to make sure we’re keeping our systems locked down.
The things we recommend our customers do to improve cloud email security when using SparkPost:
- Use strong passwords!
- Make sure every user enables Two-Factor Authentication when accessing the SparkPost account. This is the single biggest deterrent from attempts to hack into your account and it’s easy to do.
- Assign roles to your users. If all they’re doing is looking at reports, then making them a Reporting-Only user.
- Make sure to change the password on any shared accounts on a regular basis.
- Set up your engagement tracking domains as https (Elite accounts).
Looking ahead, we will be adding support for more Single Sign On identity providers, rotation of DKIM keys, and continually looking at how we store and access data without impacting performance.
What are your most pressing security concerns?
Do not go gentle into that new normal
At SparkPost’s recent Insight user conference, Steve Jones, executive director of DMARC.org, didn’t hold back. He began his talk on email authentication by bluntly observing that “spam and phishing are the new normal.” I sucked in my breath. Steve’s comment felt like a punch to the gut. I felt like I wanted to defend the honor of email. Yeah, bad guys—sometimes really bad guys—are out there, I thought to myself, but it’s the exception, not the rule! But I knew he was right. I settled down and nodded my head, knowing that Steve’s perspective squared with the experiences of people who manage the front-lines of defense at ISPs and corporate email hosts, as well as the findings of email industry organizations like M3AAWG.
Steve noted that 28 billion spam messages are sent every day. By some estimates, phishing is a $3.7-million annual cost for the average enterprise. And for publicly-traded companies, a disclosure of phishing leads to a loss of stock value of $411 million or more. As Steve put it, costs like these are fraudulent email’s “hit to reputation and brand, made tangible. And there’s no bottom to what bad actors will do to get your money.”
So, spam and phishing really are the new normal. Companies must incorporate a security posture that takes into account email as a major attack vector that’s exploitable through phishing, malware, and socially engineered content designed to defraud recipients of sensitive information and to steal credentials that grant access to systems.
And this new normal is why Steve’s organization does its work. DMARC, or “Domain-based Message Authentication, Reporting & Conformance,” is a technical specification that builds on earlier SPF and DKIM email authentication mechanisms. In his talk at Insight, Steve presented an overview of the current landscape of email authentication, including why DMARC is important, how it works, and recent developments.
ISPs are moving to an authentication-only world. So should you.
The biggest consumer mailbox providers prefer authenticated email. But that preference may be changing to a mandate. In 2015, Yahoo took the plunge and published a “p=Reject” DMARC record. By doing so, Yahoo essentially told receivers, “if you can’t verify an email came from Yahoo, throw it away. No exceptions.” There are reports that Google may take a similar step for Gmail in 2016.
There have been issues with this “strict” posture—in some cases, legitimate email has suffered because of this spam counter-measure. But, I remind you that false positives are nothing new. It’s frankly just a cost of doing business for senders (and a much smaller cost than those that result from successful phishing attacks). Legitimate senders long have been operating in the shadow of compromised hosts, spam, phishing and other abusive digital communications, and incurring short-term inconveniences to stem that tide is worth the effort. Truth be told, what disturbs me more is the fact that everyone hasn’t yet adopted SPF, DKIM and DMARC as a means of combating spam and protecting their own reputations!
It’s time to splice email authentication into corporate DNA.
The watch guards of enterprise security (especially CISOs) often talk about a company’s “security posture,” the plan and cultural shift that a business puts into place to protect its employees, customers, intellectual property, and systems from attack, both cyber and physical. We’re likely all familiar with defenses like firewalls, multi-factor authentication mechanisms, access and password policies, and more.
But what about email? It’s the lifeblood of every company doing business on the internet today. But at too many businesses, email security is limited to spam filters or malware scans. Those are fine front-line tools to help protect against brute force bad guys, but they do little for phishing (and spear-phishing) attacks.
The simple power of email is its ability to connect people and businesses the world over. But the simplicity and ubiquity that makes email the Internet’s “connective tissue” also allows the spread of viruses, fraud, phishing, and compromises to accelerate to pandemic speed as they move from one email box to another.
Every company that works with customer data, financials, or has a broad national or global presence is nothing short of a flame in the night that draws all sorts of malicious attacks. In the digital marketing industry, ESPs, marketing automation companies, anyone who purports to be a marketing system of record… are just some of the inevitable targets for phishing attacks.
Adopting email authentication standards like DMARC (and transport layer encryption standards such as STARTTLS) will go a long, long way to improving your digital messaging security posture. What are you waiting for? Do it.
Ready to learn more about DMARC and email authentication? Here are a few resources to get going.
- How DMARC Is Saving Email, a great ebook written by our deliverability team
- The Validator, the free, all-in-one DKIM validation, SPF checker, and DMARC validator app from SparkPost
- Understanding SPF and DKIM In Sixth Grade English
- Twitter’s Email Privacy Report, powered by SparkPost
In light of the recent security breaches making the headlines, our own CMO Dave Lewis has posed eight points for consideration for CMOs, and what the possibility of a breach could mean for them and their own marketing activities.
Says Lewis: “This isn’t a pretty picture relative to the preservation of trust, but uglier still are the potential consequences—customers being unwilling to share the data that makes digital communication and commerce work because they no longer trust companies to keep it safe. Equally devastating would be a breakdown in the trust relationships we have with each other and an inability to effectively work together as partners in this ecosystem. These are the things that worry me if the breaches continue. They jeopardize our ability to generate revenue and build customer relationships as CMOs, putting our individual and collective success at serious risk.
So what can we do about it?”
Read the whole thing here at the CMO Council’s Marketing Magnified.SparkPost © 2018 All Rights Reserved