Email fraud is rife and costs companies like yours millions. Implementing the authentication standard DMARC (Domain-based Authentication Reporting and Conformance) to block bad email before it reaches consumer inboxes is a great first step. But DMARC alone isn’t enough, protecting your brand from only 30% of email-borne attacks. We tapped into the Return Path Data Cloud and analyzed more than 760,000 email threats associated with 40 top global brands over the course of 2 months to understand how fraudsters circumvent email authentication mechanisms like DMARC.

2. Webinar: How Cybercriminals Cheat
Email Authentication
September 29, 2015
#BeyondDMARC

3. Welcome!
• Follow us on Twitter @StopEmailFraud.
• Use our hashtag #BeyondDMARC.
• Please type in your questions using the chat box.
• Yes! We’ll send you a recording.

4. Welcome!
Matthew Moorehead
Strategic Project Manager
Email Fraud Protection
Return Path
@mattmooreheadRP
Liz Dennison
Content Marketing Manager
Email Fraud Protection
Return Path
@LizKONeill
Ash Valeski
Senior Product Manager
Email Fraud Protection
Return Path

5. Agenda
• The Email Fraud Problem.
• Email Authentication Best Practices.
• Real-time Insights into All Email Attacks.
• Tactics Fraudsters Use to Cheat Email Authentication.
• Unite Against Email Fraud.
• Q&A.

6. The Email Fraud
Problem

7. Email Fraud Is on the Rise
5 out of 6 big
companies
are targeted with
phishing attacks
Phishing costs brands
worldwide $4.5 billion
each year
RSA identifies
a phishing attack
every minute
Email fraud has
up to a 45%
conversion rate
Source: EMC, Google

8. Hard Cost Impact
Fraud Losses Malware Infection Investigation Remediation

9. Revenue Impact
• Reduced trust in brand:
• Customers and subscribers don’t know what to trust
• Reduced effectiveness of email:
• Consumer mailbox providers don’t know what to trust
Customers are 42% less likely to interact with a
brand after being phished or spoofed.

10. to: You <you@yourdomain.com>
from: Phishing Company <phishingcompany@spoof.com>
subject: Unauthorized login attempt
Dear Customer,
We have recieved noticed that you have recently
attempted to login to your account from an unauthorized
device.
As a saftey measure, please visit the link below to
update your login details now:
http://www.phishingemail.com/updatedetails.asp
Once you have updated your details your account will
be secure from further unauthorized login attempts.
Thanks,
The Phishing Team
1 attachment
Making an email
look legitimate by
spoofing the
company name in
the “Display Name”
field.
Tricking email
servers into
delivering the email
to the inbox by
spoofing the
“envelope from”
address hidden in
the technical header
of the email.
Including logos,
company terms,
and urgent
language in the
body of the email.
Making an email
appear to come
from a brand by
using a legitimate
company domain, or
a domain that looks
like it in the “from”
field.
Creating convincing
subject lines to drive
recipients to open
the message.
Including links to
malicious websites
that prompt users to
give up
credentials
Including
attachments
containing malicious
content.
Anatomy Of A
Phishing Email

11. Email Authentication
Best Practices

12. Email Authentication Keeps Bad Email Out
Authenticating email helps ensure your legitimate messages reach
your customers, and malicious messages don’t.
There are three key authentication protocols to know:
1. SPF (Sender Policy Framework)
2. DKIM (DomainKeys Identified Mail)
3. DMARC (Domain-based Message Authentication Reporting &
Conformance)

13. How DMARC Works
Email received by
mailbox provider
Has DMARC been
implemented for “header
from” domain?
Does email fail
DMARC
authentication?
Mailbox provider
runs filters
QUARANTINE
NONE
REJECT
Apply domain
owners
policy
YESYES
NO
NO
Deliver Report
to Sender
Control & Visibility

14. Phishing Emails DMARC Would Block

15. But Email Authentication Isn’t Enough
30%
spoof your domain
•Active Emailing Domains
•Non-Sending Domains
•Defensively-registered Domains
70%
spoof your brand
in other ways
• Cousin Domains
• Display Name Spoofing
• Subject Line Spoofing
• Email Account Spoofing
Source: Return Path / APWG White Paper, 2014

16. Real-Time Insights
Into All Email Attacks

17. The Return Path Data Cloud
Contactually Molto ParibusGetAirHelp
Message Finder UnsubscriberOrganizer

18. EMAIL THREAT
DATA
· Consumer inbox data
· Email delivery data
· Authentication results
· Message level data
· SPAM trap & complaints data
EMAIL THREAT
INTELLIGENCE
· Domain-spoofing alerts
· Brand-spoofing intelligence
· Suspicious activity map
· Fraudcaster URL feed
· Sender Score: IP reputation

21. Tactics Fraudsters
Use to Cheat Email
Authentication

22. Tapping Into the Return Path Data Cloud
• 40 day period (July and August
2015).
• Analyzed over 240 billion emails
from more than 100 data feeds.
• Identified over 760,000 email
threats targeting 40 top brands.

23. Tactic 1: Snowshoeing
• No discernible pattern to suggest
that the biggest phishing attacks
are launched on distributed IP
addresses.
• But 22 of the 76 medium-sized
attacks were sent from
distributed IPs.
• Assessing IP reputations should
continue to provide value.

24. Tactic 2: Subject Line Spoofing
The minority of serialized subject
lines we did find fell under four
interesting themes:
1. Social media scams
2. Account security
3. Calls to action with reference
number
4. HR Scams

25. Tactic 2: Subject Line Spoofing
• Urgency is a key theme in subject
line spoofing.
• Fraudsters prefer a template-based
approach.

26. Tactic 3: Display Name Spoofing
• In the majority of email threats, fraudsters spoof elements of the
Header From field.
• Nearly half of all email threats spoofed the brand in the Display Name.

27. Unite Against Email
Fraud
Tips for defending your customers,
your brand, and your bottom line.

28. #1: Authenticate Your Email
DMARC (Domain-based Message Authentication Reporting & Conformance):
• DMARC prevents domain-based spoofing by blocking fraudulent
activity appearing to come from domains under your control.
• DMARC provides an email threat reporting mechanism (aggregate
and forensic data).
• Use our DMARC Check Tool to query your domain's record and
validate that it is up to date with your current policy:
bit.ly/DMARCcheck.

29. “Simply put, the DMARC standard works.
In a blended approach to fight email fraud,
DMARC represents the cornerstone of
technical controls that commercial senders
can implement today to rebuild trust and
retake the email channel for legitimate brands
and consumers.”
Edward Tucker, Head of Cyber Security for
Her Majesty’s Revenue & Customs

30. #2: Get Visibility Into Email Threats
Email Threat Intelligence is the only way to:
• Address the 70% of email attacks that spoof your brand using
domains your company does not own (brand spoofing).
• Get visibility into all types of email threats targeting your brand
today.

31. Defend Your Customers, Brand, and Bottom Line
Detect & block fraudulent emails
spoofing your brand before they
hit consumer inboxes
Bolster malicious URL takedown
efforts with real-time email
threat detection
Reduce spend on fraud
reimbursements, phishing
remediation, and customer
service costs

32. “If you boil the jobs down of [IT security
professionals], they are ultimately tasked with
protecting the brand…
If you have a breach, research suggests that
60% of your customers will think about moving
and 30% actually do.”
Bryan Littlefair, Global Chief Information
Security Officer, Aviva

33. THANK YOU!
Want more? Download “The Email Threat Intelligence Report”.
bit.ly/EmailThreatIntel