Combating Fraudulent Email

Junk mail folder filled with spam messages
1 Executive Summary

The scourge of spam has been with us for as long as many of us can remember having Email accounts, with figures suggesting there are in excess of one trillion spam messages per month…although previous volumes have neared six trillion.

Much has been written about the effects of spam; clogging Email infrastructure, consuming people’s time as they sort the good from the bad and the cost to society; estimated to be between $20 and $50 billion per year, however, spam, or ‘fraudulent Email’, has moved on from simply trying to sell you slimming and ‘enlargement’ medications and has now become something much more insidious.

Video Introduction
A five minute video introduction...that actually runs 8 mins 24 seconds!

1.1 The corporate equivalent of identity theft

Fraudulent Email can be considered the corporate equivalent of identity theft; someone is using your name or brand, most likely as a means to defraud your customers, and committing this theft in your name.

The cost of such fraud, even if your organisation does not appear directly targeted, is in fact huge, as it saps trust in your organisation and decreases brand equity. It can ultimately close the door on the legitimate use of Email for any form of customer communication or notification, as customers and ISPs may simply learn to distrust anything bearing your ‘brand’, meaning the efficacy of Email communication drops-off, ultimately becoming unreliable. This of course is catastrophic in a ‘digital world’ and means customer communication costs will be higher and customer engagement lower. This then brings huge direct cost and profitability implications to the organisation by reducing its efficacy.

But even an attack not directly targeting your organisation can target you. For instance, the targeting of a bank’s online customers can result in the bank incurring fraud losses, even though the attack was against the customer, not directly against the bank. One of the largest losses of credit card and customer personal information ever occurred in the US, not by an attack on the organisation, but via a phishing attack carried out against a partner organisation. That resulted in the attackers gaining access to the organisation’s systems using credentials stolen from the partner and resulted in the loss of credit card and customer records for more than 110 million customers.

Fraudulent Email is not simply a nuisance; it is a threat to your brand and to your organisation’s efficiency, cost effectiveness and ultimately profitability. Even if not apparently targeting you directly, it can result in a direct loss to your organisation and ultimately it impacts customer trust in your organisation and your brand, something you cannot permit to occur.

1.2 A blended approach

Sadly there is no single silver bullet to rid you of the ills of fraudulent Email. This document therefore proposes a ‘blended approach’, divided into sections, each detailing a different aspect to this mix of techniques to enable your organisation tackle brand and domain name abuse.
Parts of the document are quite detailed and technical, but this is because it’s designed as a ‘Practical how-to’ guide. No point simply lamenting the state of fraudulent Email with no real solution. This document tries to provide specific; ‘Like this’ advice, to enable your organisation to quickly take control of your domain and regain control, or prevent future abuse of your Email.

The approach encompasses six components:

  1. Technical Email control mechanisms under the glorious acronyms of SPF, DKIM, ADSP and DMARC. These controls can be implemented by technical staff to help mail servers across the Internet identify genuine Email from your organisation from fraudulent messages simply claiming to be from you. This assembly of acronyms aim to ‘Can the spam’
  2. Domain acquisition and parking. This approach aims to gain control of domain names similar to your organisation’s name or brand and lock-out the ‘bad guys’ before they try and use them, e.g. if you operate, ensure you also control and so can ‘lock-down’ against fraudulent use,
  3. Monitoring real-world traffic. It’s hard to take action if you don’t know what is going on and so there are proposals to establish feedback and monitoring solutions which can give you visibility of how bad an issue you face and where to focus your organisation’s efforts to combat abuse
  4. Take-down services, targeted at using intelligence from your monitoring service and other sources, to find and disrupt infrastructure being used to carry-out fraud campaigns against your customers using your brand or organisation’s name
  5. Internal organisational policies that can prevent well-intentioned internal efforts making it easier for fraudsters to effectively mimic your organisation’s legitimate customer communications. There can be significant negative impact to your brand through the introduction of a new Email service if it is not done in a way that ensures neither customers nor ISPs start viewing it as spam and which doesn’t open the door to fraudsters to copy your own marketing efforts, but to their own nefarious ends
  6. And looking to the future, providing a mean by which ‘average consumers’ as opposed to ‘cyber techno-whizzes’ can readily recognise genuine from fraudulent Email and links to fraudulent sites become easy to spot, report and avoid

This paper sets out to provide a set of practical, cost-effective real-world controls that can be implemented to help your organisation constrain the unrelenting flow of fraudulent Email and allow you to regain control of your organisation’s identity and build customer trust in your communications.

View ‘Table of Contents’ »