In less than a couple of minutes, he hacked my email account. Set up a new user under my domain. And to prove he was successful, he sent this email…
While casually talking to me on Zoom, my new business partner sent this email from an account he didn’t have access to. A wave of fear ran through me; I was stunned at what just happened. I thought to myself, “OMG, my business partner is a super hacker!”
Then he said, “I wanted you to see what can happen when you don’t have DMARC set up, and properly configured. If I were a hacker, I could have sent tens of thousands of spam emails using your domain, effectively destroying your domain’s email reputation. And you would have no idea until it was too late.”
It happens just that fast, and doesn’t require much effort. Remember, he did this while talking to me on Zoom. He performed this trick while I was looking right at him.
My business partner is the top analyst with a major Email Service Provider. He runs the email deliverability division. He sees, and protects, their clients from these types of attacks all the time.
My email account was not hacked–it was spoofed. It doesn’t take a super hack to do this. A quick search on Google will return dozens of results with step-by-step instructions on how to spoof any email account in less than 5 minutes.
Email spoofing occurs when an attacker uses an email message to trick a recipient into thinking it came from a known and/or trusted source.
The reason why it’s so easy to spoof emails is quite simple: email wasn’t originally designed with security and privacy in mind. Instead, it was intended to be an open service run by academics for other academics. It wasn’t until the 1980s when email hosting services had started popping up and the word “email” entered the public vocabulary.
Email Fraud…It Can Happen To Your Business
Today, email fraud accounts for billions of dollars in losses annually, with 76% of businesses reporting becoming victims of a phishing attack in the last year. Even worse? Over 90% of businesses are vulnerable to spoofing attacks.
Midsized companies are hurt the most when their domain is spoofed, and used in phishing attacks, because the scammer will also target their employees.
The average cost of a phishing attack on a midsized business is $1.6 million. There’s lost productivity while everyone tries to halt and undo the damage. There’s also a loss of proprietary data, and perhaps the worst of all is the damage to a company’s reputation after a breach. A third of consumers will stop using a business once a breach has occurred–and it could take years (years!) to recover from such an incident.
Many companies are completely unprepared. Why? 35% of working professionals don’t even know what a phishing attack means.
Small businesses aren’t hurt as badly by these types of cyber-attacks, but it’s still costly. On average, a cyber-attack costs a small business $53,987. Many of these companies don’t fully recover from the disruption these types of attacks cause.
Good News, Bad News
Here is the good news, and the bad news. There is no way to stop a spammer from using anyone’s email address for sending out spam.
There are, however, things that you can do to help prevent this from happening to you. These include setting up SPF, DKIM, and DMARC services for your domain. The most effective is DMARC.
The email authentication protocols at the heart of DMARC, first introduced in 2012, have proven extremely effective at stopping billions of email attacks from ever reaching their targets. It is, hands down, your best defense against spoofing and phishing attacks.
DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance,” is an email authentication, policy, and reporting protocol. Boy, that’s a mouthful. Major geek speak.
Let me explain this in plain English…
Think of SPF, DKIM, and DMARC in this way. SPF would be like locking the windows of your home. DKIM would be like locking the doors of your home. And DMARC would be like installing a security system that goes off if your windows or doors are breached. It offers a third level of protection.
A DMARC policy allows a sender’s domain to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver’s mailbox provider the email should be rejected, or quarantined (yep, that’s a thing), if it fails the authentication test.
DMARC can only prevent fraudulent emails from reaching inboxes when both senders and receivers have implemented it. The good news is that all of the major mailbox providers use this authentication protocol.
Where DMARC shines in protecting your email domain is that it can signal the recipient’s mailbox provider to reject, or quarantine, an email even if it passes SPF or DKIM authentication, but fails the alignment it has with SPF or DKIM. Just one of the reasons proper set up and configuration of DMARC is so critical.
Going back to my home security system example: Locking your doors and windows isn’t going to be enough to stop a motivated burglar from breaking into your home. But with the right home security system, the alarm will go off, the police will be called, the burglar will be caught, handcuffed, and hauled off to jail before he can do any harm. That’s the value of DMARC.
Back to the story…
Now, let’s go back to what my new business partner had done. He didn’t hack my email account. He spoofed it. And here is how you can tell.
When you look at the source code of the email, you can see the email extension has the addition of @domainname.com. This can slip by SPF and DKIM authentication (locked doors and windows), but it can’t slip by a DMARC (alarm system) that is properly set up and configured.
Why do I keep stressing “properly set up and configured?” There are two reasons:
It can give you a false sense of security that it is blocking unauthorized email activity on your account…when in fact it isn’t.
It can cause ALL the emails you send to be rejected, quarantined, or sent to the spam folder by the mailbox provider of your recipients.
In summary, DMARC adds an important function: reporting. You can use DMARC to protect your domains against abuse in spoofing or phishing attacks. As a website owner, you want to know for sure that your visitors or customers will only see emails that you have sent yourself. Therefore, DMARC is a must for every domain owner.
This is really important:
Over 50% of SPF and DKIM records are improperly authenticated, and over 87% of DMARC records are incorrectly set up or configured.
In Part 2, I explain how to set these records correctly, so they properly do the job of which they were intended…protect your email domain from unauthorized use.
You can read the article here: https://www.linkedin.com/pulse/how-protect-yourself-from-online-ninja-attack-can-cripple-ed-forteau
Note: This article was originally published on LinkedIn. You can read it here.