Yes and No. Email is a highly valuable tool that has evolved to be more secure, but there are still ways to exploit email for nefarious purposes. Email users should be careful with how they use email and the emails they respond to. Let’s look at email security in more detail.

A Little History

Electronic mail originated on the early experimental Arpanet, the precursor to the Internet. At that point, all the interconnected servers were within high-security facilities. Since the security was on the outside, researchers did not consider protocol security; everything was sent in clear text – HTTP for browsing documents, FTP for sharing data files, and SMTP for electronic communications. When the Arpanet opened up to universities and then to businesses and private users, those same protocols were still transmitting data and passwords in clear text. Unfortunately, clear text communications are susceptible to man-in-the-middle attacks – corrupted computers or routers between the two computers in communication.

The early Internet was not secure, so new technologies were developed to improve security:

• HTTPS to secure online transactions involving credit cards
• SFTP to secure file transfers (now replace by HTTPS in many cases)
• TLS to encrypt email communications between email servers

With the adoption of TLS, Transport Layer Security, email was secured from potential man-in-the-middle attacks. However, there are other ways to exploit email.

Alternate Technologies

There were other technologies that attempted to “secure” email communications, all had various degrees of success, but none of them have really gone mainstream.

• PGP, or Pretty Good Privacy, used a Public-Private encryption key system to encrypt and decrypt email. Email was completely secure in transit, and from administrators, but unfortunately, PGP was bulky to use. TLS solved the problem of securing communication between servers without the user needing to do anything.
• “Secure” Email Servers are web servers where communication could be secured behind a password protected web login. It was not really email but a way to communicate in an email-like fashion. You often see these secure communications websites with Legal and Medical professions, but they suffer from bulky interfaces and the inconvenience of going somewhere other than your normal email applications to view the communication.
• Sender Verification Services respond to an unsolicited email with an email demanding the sender verify their identity. The goal here is to reduce the potential for spam and phishing attempts by creating a hurdle for senders to jump. The inbox provider then only passes on “verified” email to the user. This technique essentially removes any automated email, including newsletters, as marketing teams are unable to monitor the verification email. The downside is that a legitimate sender may not register so you miss important email.

The Threat of Spam and Phishing

Email is the #1 preferred method for perpetrating online scams. The marginal cost of sending an email is negligible and the rewards for a successful scam can be thousands or millions of dollars. According to Cisco, approximately 84% of all email is spam, much of which is phishing scams and much also escaping spam filters. By that measure, email is not “secure”.

“Securing” Email

Improving email security is not a single technology or vendor but involves changing business processes, adopting new standards and continuously adapting to the ever-evolving landscape of email scams. Some recommendations:

• Stop hosting your own email – Inbox providers like Gmail, Office365, Yahoo!, etc. have dedicated teams to managing and blocking spam and phishing. Most businesses would benefit by leveraging these external experts and outsourcing email inbox services.
• Turn on 2-factor authentication – Securing email communication, both sending and receiving, means securing access to email accounts. 2-Factor Authentication helps make email more secure.
• Invest in Spam and Phishing Awareness Training – Email scams exploit human weakness through social engineering to gain access to your email, bank accounts and secure data. Training your team to recognize these scams will improve your email security.
• Leverage DMARC and supporting technologies – SPF, DKIM, DMARC and BIMI work hand-in-hand to 1) declare who can send email on behalf of a domain, 2) digitally sign email from that domain, 3) report compliance to the sending domain, and 4) apply a corporate logo to compliant email. When a domain leverages these technologies, it is secured against being used in spam and phishing attempts and gives the recipients peace-of-mind that the email is genuine.

To maintain the highest levels of email deliverability using DMARC, businesses like yours need a proven Email Delivery management system like MxToolbox Delivery Center.  Delivery Center provides you with valuable insight into your email delivery posture and the ongoing maintenance necessary to maintain peak performance:

• Manage SPF, DKIM, and DMARC (and BIMI) to improve compliance and reduce the threat of fraud and phishing using your domain.
• Review daily volume and SPF, DKIM, and DMARC compliance rates to ensure the best email deliverability.
• Implement Feedback Loops to gain unique information on how your recipients view your emails and when they mark you as spam.
• Gradually move your DMARC policy to Reject to enable better inbox placement opportunities.
• Manage the on-going requirements of maintaining high levels of email deliverability

On-Premise Email Security Best Practices

If your company strategy requires on-premise email management, then there are some best practices you can adopt:

• Use Inbound Email filtering gateways – Out of the box inbound filtering either software or hardware will block most threats using threat detection algorithms. Basic gateways block blacklisted senders. More advanced options allow you to write your own acceptance policies.
• Create Advanced Acceptance Policies – Your business is unique. Threats come in many forms. Maybe you want to filter all incoming image files or executables or maybe eliminate objectionable terms associated with risks. Sophisticated algorithms might help protect your business.
• Accept only DMARC compliant email – One great idea that Google has pioneered is prioritizing DMARC compliant email. If you do the same, you dramatically reduce the potential for fraud and phishing emails making it to your users.
• Setup Outbound Email filters – You do not want to become a source of spam, so setting up filters to control outbound email will reduce the risk of being blacklisted or of sending spam emails within your network.
• Setup Advanced Outbound Policies – Advanced policies could include forcing the legal team to encrypt all outbound email or prevent emailing large files, executables, etc. Leveraging advanced policies will help make using email more secure.
• Setup DMARC for all outbound email sources – Adopting DMARC for all your outbound email sources will help you protect your sending reputation and reduce the risk of your domain names being used in spam.
• Invest in Spam and Phishing Awareness Training – As mentioned above, when employees are trained to recognize spam and phishing attempts, they are less likely to click on dubious links in spam and phishing attempts or click on and install malware.

While email was not initially designed with security in mind, new technologies are improving the security posture of email. Adopting these as they arise makes your business more secure and protects your users, clients and partners.

Inbox Providers work hard to stop email fraud and phishing scams from outside. Google, Yahoo! and Office365.com all utilize a mix of algorithms that include Blacklists, SPF, DKIM and DMARC compliance, Spam scoring and Relevance scoring to make inbox placement decisions. However, scammers have found an interesting loophole, by sending the spam from the Inbox Providers servers.

How does an Insider Scam work?

The trick to sending spammy email from within an Inbox Provider’s network is first to compromise an existing email box on the provider’s servers. This can be surprisingly easy! Google, Yahoo! and Office365.com have Millions of users. Corrupt one email box and a spammer can easily send email to every user on every domain that uses the Inbox Provider’s network. For example:

• An email from a corrupted Gmail account never leaves the Gmail network when sent to Gmail Inboxes so the email may skip other Gmail spam safeguards like content scanning and Junk/Spam folder analysis.
• An email sent from a Gmail account passes Blacklist, SPF, DKIM and DMARC for every domain using Gmail to send email, including emails sent outside the Gmail network, giving these emails a level of trust. A corrupted Gmail account therefore has the clout of Gmail behind it.

Inbox Providers have traditionally looked at Spam and Phishing as an external threat. With the transition of email from on-premise to cloud-based solutions, internal threats with compromised accounts will force Inbox Providers to change and adopt Internal Spam and Phishing analysis algorithms.

What can you do to protect your users?

You email users need to be aware that incoming email cannot be 100% trusted, even when using a reputable Inbox Provider. Invest in Fraud and Phishing training for your staff will raise awareness and help break some of the apathy with regard to security. Read up on more ways to recognize and combat Fraud and Phishing in our previous blog entry.

What can you do to protect your outbound email?

If you are not monitoring the quality of your outbound email, you are at risk for accidentally sending Fraud and Phishing emails from your Inbox Provider and other email sources. Every business should be monitoring Blacklisting, and SPF, DKIM and DMARC compliance from all email sources. With DMARC reporting, you receive feedback on how much of your email is passing SPF, DKIM and DMARC compliance to know how likely your email will make it to the Inbox of your recipients. MxToolbox Delivery Center provides all the information you need on email from your domain.

However, DMARC reporting and Strict DMARC policies will not prevent an Inbox Provider Insider attack using your domain name. For that, you need to use another feature of MxToolbox Delivery Center, Feedback Loops. Feedback Loops provide direct feedback from email recipients at different Inbox Providers on how each recipient views the email they received from you – Did it look like Spam, Phishing or Unsolicited Email? Did they unsubscribe?

Soon, Inbox Providers will implement algorithms to protect their users, scammers will find new ways to exploit your users and your domain for their own gain. In the meantime, beware the Inbox Provider Insider scams.