Technical controls are not, of course, the only means of controlling fraudulent Email. There are organisational and policy controls that can assist.
A common ‘policy approach’ adopted by organisations to combat phishing is by:
- Not sending Emails to customers
- Not sending HTML-formatted messages
- Never including hyperlinks in messages
While common, these approaches are ineffective. They restrict the ability for the organisation to communicate with its customers efficiently and are inconvenient for the customer who cannot receive well-formatted information and links guiding them to items requiring their attention. What is worse, the policy is ineffective as just because the organisation might know that its policy is not to send HTML messages or to include hyperlinks, it’s quite unlikely that customers will be aware of this policy no matter how many times it is repeated. In addition, such an approach relies on ‘negative reinforcement’; conditioning customers to something that doesn’t happen, which is difficult as by definition it is hard for something that doesn’t occur to reinforce a message. Additionally, it doesn’t take too much creativity on the behalf of the fraudster to concoct a reason for why this message is special and so does now include links.
So while a common approach, this approach to combating fraudulent Email must count as one of the weaker pieces of sticking plaster.
One of the primary issues in setting an SPF policy, certainly in larger organisations, is in identifying all the places from which Email is sent quoting the domain.
Often different departments within an organisation will have set-up ‘one-off’ arrangements with external service providers and be sending mail on behalf of the organisation and quoting its domain name. It is quite possible that such services will spoof the organisation’s domain and that the sender and from Email addresses will fail a DMARC ‘domain alignment’ check. This isn’t simply bad for the purposes of setting the technical-counter fraudulent Email controls as described here, but such issues will typically cause problems in the deliverability of the messages themselves. It’s also possible such spoofed Email, by sharing many of the characteristic of true fraudulent Email, will contribute to a reduction in a domain’s reputation score within ISPs and anti-spam products. This can then lead to a general reduction in the deliverability of legitimate Email from an organisation.
One beneficial organisation policy is therefore to stop the proliferation of such ‘one-off’ Email-sending arrangements and to ensure that any Email sent other than via the organisation’s official Email infrastructure is subject to thorough technical review to ensure the messages do not appear as fraudulent Email to recipient servers, resulting in both poor deliverability of the message and generally damaging a domain’s reputation. This is important not only from a security perspective of making it harder for fraudulent Email to be sent, but from a marketing perspective. Simply sending messages is not effective communication if ISPs, customers or customer’s anti-spam tools learn to consider the mail as spam and consign large proportions of it to the spam folder or deleted mail bin.
So there is a key message here; unless you adopt good Email sending practices, which include the counter-fraudulent Email controls described in the paper, it is highly likely that a large proportion of the messages sent will never be consumed by the intended recipients. Therefore the controls described in this paper should be of prime concern to marketing departments as they not only constrain fraudulent Email but simultaneously increase the likelihood of customer receiving and reading the intended communications.