During this COVID-19 pandemic, hackers are taking advantage of our qualm and fear with phishing emails aiming individuals and institutions — spoofing identities to elude detection. This is a serious threat at the moment when most people are working from home (WFH) away from direct IT support relying greatly on email.
People are warned to be on the lookout for fake CDC emails and other coronavirus-related phishing attacks. Valimail has found proof of threat actors sending emails from domains that look like the CDC, such as cdc.agency. (The actual domain, cdc.gov, can’t be spoofed because it’s protected by DMARC at enforcement.) Criminals sending coronavirus-themed phishing emails and utilizing an open redirect on the Department of Health and Human Services’ website to circulate malware.
Complicating the problem is the fact that companies suddenly have many employees working remotely, thereby boosting both the volume of email and the risk that someone who is stressed, tired, or distracted will click on a phishing email by mistake.
The response to these risks does not have to be difficult, but organizations need to take careful steps to ensure that they are guarded.
Compulsory Multifactor Authentication (MFA)
Maintain good security strength, by mandating multifactor authentication (MFA) for email accounts as well as all corporate applications. This greatly lessens the risk of account takeover if an employee does get successfully phished and clicks on a malicious link.
Keep in mind that simply publishing a DMARC record will give you distinctness, if it’s correctly configured, but it won’t hinder phishers from spoofing your identity until you configure an enforcement policy. You need to configure SPF and DKIM properly, and then configure DMARC with an enforcement policy to stop these damaging enactments.
To help you get started, Valimail offers free DMARC visibility with Valimail DMARC Monitor, which can explain the process for many organizations.
Build a layered defense
Look into solutions that protect against email attacks based on verifying the identity of the sender, not just the contents of the message or its context. Content-centric email security solutions can often miss the most evasive phish, which contains no malware or malicious links, but pretend that the sender has an existing relationship with the recipient and therefore can be trusted. It’s also essential to not solely rely on traditional email protection that uses historical data (signature-based detection, social graphs, behavior, etc.) to detect and stop phish.
Audit email-sending platforms and servers
Companies we work with are regularly surprised to discover that there are two or three times as many services sending emails on their behalf as they expected. If you find services that aren’t being actively used or which don’t need to send an email, shut them off to stop them from being used as a phishing channel.
The same goes for email servers. Despite the change to the cloud, Valimail has found that most companies we work with have a few orphaned mail servers still actively sending out messages, sometimes in surprising places, like that fax machine in your Hong Kong office. If mail servers aren’t being actively used for a legitimate business purpose, turn them off.
The role of training
Anti-phishing training is essential, partly to teach people not to click on an obvious phish, but also to teach employees about what to do when they receive an email that looks suspicious to them. Employees should never question what to do or how to respond when they see a suspicious message. Make it easy for them to report phish.