Super Bowl LVI in California is almost upon us, and for millions of NFL fans around the world, it’s the most exciting time of the year. Unfortunately, it’s also a great opportunity for online and offline fraud. Every year, there is a new announcement of a ticket scam or a fraudulent merchandise.
While Email Security might not be on the minds of fans or businesses preparing for the big game, it should be. Email is still number one vector for starting a hack, cyber attack or online scam. Email is one of the easiest (and cheapest) ways to distribute a message and reach an audience. For legitimate businesses, email is also one of the easiest ways to make a mistake, caught in spam traps and have you message lost. For scammers, this is the opportunity to strike with intricate phishing and spoofing campaigns.
How do Email Settings affect Security?
Email security settings, specifically SPF and DMARC records, are both key to reaching your customers and preventing your brand from being exploited by fraud and phishing attempts.
SPF allows a domain owner to declare what IP addresses are legitimate senders of email for that domain. Inbox Providers check SPF records as part of delivering email that is sent from your domain. Spoofers can easily fake sending email from your domain, but if there servers are not in your SPF records then it will fail the Inbox Provider’s checks. Correct SPF records are therefore a minimum security precaution.
In addition, your domain’s DMARC record can tell an Inbox Provider like Google, Yahoo! or Outlook.com how to treat a particular email. There are three security levels to DMARC:
- None, meaning accept all email from my domain even if it fails SPF and DKIM checks. This has the lightest level of security for your domain and allows Spoofing and Phishing attempts to make it to your customers’ inboxes.
- Quarantine, meaning segregate emails that fail SPF and DKIM checks to a separate folder. This means that some email from fraudsters might end up in Spam or Junk.
- Reject, meaning straight up reject any email that fails SPF and DKIM checks. This has the highest level of protection from fraud and phishing attempts, but may mean that occasionally legitimate email is blocked.
Reject policies are great, but do require regular review of your rejected email. We highly recommend that everyone adopt a “Reject” policy as soon as possible and allocate some time to reviewing rejected email for legitimate content, as well as outbreaks of fraud and phishing attempts thwarted by DMARC.
More information on DMARC tags can be found in our help tools here.
Top Ticket Vendor Domains
If you want to attend the Super Bowl in Inglewood, your best chance for buying a face-value ticket is to be a season ticket holder of an NFL team. If you’re not a season ticket holder, getting tickets will likely require going through 3rd-party sellers and brokers.
Some of the more popular and respected ticket supplier domains include:
- https://nflonlocation.com/ (SPF record only)
- https://hofexperiences.com (SPF record only)
- https://seatgeek.com/ (SPF and DMARC records; p=none; pct=100)
- https://www.stubhub.com/ (SPF and DMARC records; p=none)
- https://www.ticketmaster.com/ (SPF and DMARC records; p=none)
- https://www.vividseats.com/ (SPF and DMARC records; p=none)
While all of these have a minimum security posture of an SPF record, none have a Reject DMARC policy, setting them up for potential exploitation by scammers. Consumers may need to use extra caution when opening and interacting with emails that claim to be from most online Super Bowl ticket suppliers, especially if there are tell-tales of spam.
Let’s look at a few other related online suppliers…
Top NFL Domains Used to Communicate with Fans
- https://www.nfl.com/ (SPF and DMARC records; p=none)
- https://nflcommunications.com/ (N/A for all four)
- https://www.espn.com/ (SPF and DMARC records; p=none)
Top Hotel Domains Near Stadium
- Best Western Plus Suites Hotel Inglewood [1.4 miles]: https://www.bestwestern.com/ (SPF record only)
- Hampton Inn Los Angeles Airport Hawthorne [1.4 miles]: https://www.hilton.com/ (SPF and DMARC records; p=quarantine)
- Holiday Inn Express & Suites Hawthorne [1.5 miles]: https://www.ihg.com/ [SPF and DMARC records; p=none)
- Wingate by Wyndham Hotel Inglewood [1.7 miles] https://www.wyndhamhotels.com/ (N/A for all four)
- Westin Hotel LAX Airport Los Angeles [1.9 miles] https://www.marriott.com/ (SPF and DMARC records; p=reject; pct=10]
Top Airline and Travel Agent Domains
- https://www.roadtrips.com/ (SPF and DMARC records; p=none)
- https://bullseyeeventgroup.com/ (SPF record only)
- https://www.sportstraveler.net/ (SPF record only)
Opportunities for Improvement
Unfortunately, it appears that many domains are not fully protected by SPF and DMARC records, meaning that consumer safety is up to the Inbox Provider and the consumer themselves. Email hackers and online scammers are ready to take advantage of any companies that aren’t safeguarded against attacks. The Super Bowl is just a single yearly event to exploit, but smaller businesses are also susceptible and less likely to recover. Adopting SPF, DKIM, and DMARC is both critical and inexpensive.
If you are a business owner, now is the time to improve your outbound email security by adopting SPF, DKIM and DMARC. It will improve your email delivery and safeguard your brand against Fraud and Phishing attempts.
If you are a consumer, businesses are slowly adopting DMARC, so until then, keep vigilant about the email you receive!