Why email is the weakest security link – and how to fix it

According to a recent report by corporate investigations and risk consulting firm Kroll, UK businesses are the second biggest victims of cybercrime in the world, with 92% of executives saying they had experienced an attack or information loss in the last year.

Phishing is one of the most common types of cyber attack, with 30% of phishing emails getting opened, according to Verizon’s Data Breach Investigations Report. It’s the easiest way to hijack accounts – as happened to Hillary Clinton’s election campaign chairman John Podesta last year.

Even tech giants like Facebook and Google aren’t immune. Last month it emerged the tech giants were conned out of more than $100 million (£77m) each in an elaborate phishing scam involving forged email addresses and fake invoices from suppliers.

>See also: The state of IT security in UK businesses

It’s straightforward and relatively easy to steal someone’s online identity: with just a few lines of code, it’s possible to ‘borrow’ email addresses and create malicious emails that appear genuine.

Crucially, these scams do not involve hacking or password theft. A basic understanding of web protocols and simple tools such as telnet, and finding the name of the individual being impersonated (usually from LinkedIn) is enough for the attack to be successful.

To make matters worse, email servers and spam filters are often duped into trusting these emails because, unlike traditional phishing attacks, the sender’s email address looks legitimate.

As this tactic can be used on most email addresses, it’s easy to see how employees can be tricked into believing emails purporting to be from an important customer, partner or senior manager are genuine, especially when some email apps automatically include the perceived sender’s image.

>See also: Seasonal spam: the unwanted gift that gives and takes

Email: the backdoor to your business

People trust email providers to effectively handle security of their email identities online, but these scams highlight a fundamental problem with the way email relay has worked since the dawn of the internet.

It doesn’t matter whether your company has a strong security and password policy, or if it has enabled two-factor authentication (2FA) on employees’ accounts. All of this can be sidestepped by exploiting the basic weakness in email: that it’s easy for a criminal to impersonate a trusted employee or partner and trick the recipient into opening the message, which in turn opens the door to further compromises of your business’ security.

However, just because this weakness is part of the way the internet works, doesn’t mean that it’s not fixable. There is an email authentication protocol known as domain-based message authentication, reporting and conformance (DMARC), which prevents anyone from impersonating your email domain, making it impossible for hackers to send fake emails to your clients; it also blocks malicious emails from your inbox.

>See also: Severe: the security risk to UK mobile app users

An article on the Gov.uk website explains how the protocol works in detail, but in brief DMARC works by verifying if an email was sent from an authorised IP address, and also if the email has been signed by the same domain it was sent from, or from a domain that is authorised to send on behalf of that domain. These two factors are combined to authenticate emails, and to set rules about how receiving servers should treat mails if they fail the authentication checks.

DMARC has proved so successful that HMRC has introduced it across its entire organisation, while the National Cyber Security Centre, the UK and Australian governments, and the U.S. Federal Trade Commission are among DMARC’s growing list of advocates.

Check the current status of your organisation’s email domain using the tool at https://ondmarc.com/, and start increasing your email security and deliverability.


Sourced by Rahul Powar, founder and CEO at OnDMARC


Nominations are now open for the Tech Leaders Awards 2017, the UK’s flagship celebration of the business, IT and digital leaders driving disruptive innovation and demonstrating value from the application of technology in businesses and organisations. Nominating is free and simply: just click here to enter. Good luck!

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...