You know email authentication is big news when you hear about a lack of it on Good Morning America.
The latest email-driven phishing scam involves E-ZPass, the rather innocuous driving utility designed to help motorists avoid slowing down at highway toll booths.
With thousands and thousands of drivers in 14 states, you can imagine that E-ZPass sends out a lot of transactional email (updates to personal info, updates to billing info, recharges, etc). As the majority of those emails are transactional, they don’t require a lot of thought or engagement.
Image: Capitol National Bank
But if you were to get an email that says you have a toll violation or need an account replenishment, you might click through pretty quickly. And if you’re like most of the human race — busy with no patience to spend a lot of time dealing with stuff like this — you probably would pay little mind to clicking a link, entering in some additional info, and going along your way.
But E-ZPass consumers (and even some non-consumers) in seven states and territories have reported emails that look like official E-ZPass emails that are claiming unpaid fees and account violations.
As you might suspect at this point, they’re phishing emails, designed by those trying to trick a small percentage of people into blindly clicking and handing over some key information.
You might be thinking, “Meh, why should they care?” Say you’re E-ZPass and you have to contact users for actual issues in the future. Say those users have heard about this scam in passing, and just assume everything they get from E-ZPass is bad. More of that email gets deleted, customer service calls and inquiries go up, and the costs of a phishing attack get bigger and bigger.
So how did we get here?
Trying to scam people via email isn’t anything new and if you haven’t got an email from a Nigerian prince offering his fortune to you, you’re in the minority. Targeting senior citizens and those that simply don’t know any better, the scam is simple: develop an email that looks like an official company email, include some kind of threatening message or non-ignorable call-to-action, entice the user to click, take them to a phisher-built branded website, get some financial information, and boom: the nightmare begins.
Even as the bigger companies and brands have got smarter about email authentication (the security process in which a company can verify what email comes from them, thus helping prevent those trying to imitate them), that hasn’t deterred the nefarious side of the email world. Rather, those wanting to watch the world burn are simply are moving down the ladder and targeting midsize companies like E-ZPass.
How can companies prevent phishing attacks that involve their brand?
1 – Send all bulk and transactional email through a reputable sender.
Of course, I’d suggest us, but if you’re sending significant amounts of email, just send with someone that has deliverability experts that can help answer questions.
2 – Implement an SPF record on your domain record.
Here’s a how-to that we use, but essentially, your IT team is adding a TXT record to your domain records that verifies that email sent on your domain’s behalf through email service providers, Salesforce, etc is legitimate. Only you have access to make updates to your domain record, so you can see why this is a good way to validate email being sent on behalf of your domain.
3 – Implement DKIM.
This is another form of email authentication that involves a signature that is placed in the header of your email using a private key to encrypt it and a public key that is placed in DNS of the sending domain to decrypt it.
If that has you confused, here’s what happens in simple terms. The receiving mailbox provider (say Yahoo) gets these emails and breaks down the hash to verify what it’s telling them. If a bad guy has intercepted these emails and changed anything at all, the email won’t be decoded, and the email won’t be delivered. Through this process, the sending domain is validated. Success!
From DKIM.org: “Receivers who successfully validate a signature can use information about the signer as part of a program to limit spam, spoofing, phishing, or other undesirable behavior.” Best yet, DKIM is also easy to implement. For information’s sake, here’s how set up works in our portal.
4 – Implement DMARC.
Evolving in the past few years, DMARC is another form of email authentication that helps standardize consistencies for both email senders and email receivers. It’s all about security and reliability, and is key in helping to prevent phishing attacks.
Even though it’s relatively young, it took just one year for half of the top 20 sending domains to publish a DMARC policy and 70% of those domains asserted a policy that directed email receivers to take action against unauthenticated email messages. Again, any reputable email sender should be able to help you implement your own DMARC policy. If not, you’re with the wrong sender.
No matter who you send from, implementing email authentication like SPF, DKIM, and DMARC should be easy and well worth your time.
Hey, it could be worse. You could be dealing with E-ZPass’ headaches right about now.
Josh Nason is an Email Reputation Manager for Dyn, the world leader in Internet performance solutions. After nearly four years with the Marketing team, Josh moved to email full-time in order to help Dyn’s clients achieve better inbox success through their Email Reputation Management service. Follow Josh on Twitter.