On Monday of this week, DMARC.org Executive Director Steven M Jones and a number of prominent colleagues spoke about email authentication and combating online fraud and abuse at Cloud & Messaging Day in Tokyo, Japan. The details of the event, in Japanese, are available at this link. The event featured, in order of appearance: Neil Schwartzmann of CAUCE; Angela Knox, Cloudmark‘s Senior Director of Engineering and Threat Research; DMARC.org’s Jones; Severin Walker, Chairman of M3AAWG and Manager of Anti-Abuse Engineering at Comcast; and Shuji Sakuraba, a Senior Program Manager at Internet Initiative Japan, Inc and Chair of Japan’s Anti-Spam Promotion Council, a joint industry-government organization.
Jones addressed two main points in his presentation. The first was the observation that many companies do not have or perhaps enforce employee communications policies, particularly when outsourcing services to vendors. The upshot is too often legitimate communications from vendors that have all the features of phishing messages – the use of multiple domains not affiliated with the company, an urgent call-to-action, clickable links that go to a different domain than is displayed, and also different from the address in the From: field, etc. And employees who report these confusing messages as phishing are told to accept them as legitimate.
It seems likely that these practices undermine the anti-phishing training employees receive typically only receive once a year. And given that likelihood, one has to wonder if part of the reason why phishing has been reported as the initial attack vector in over 90% of recent reported data breach cases isn’t because we have been training employees to be more vulnerable. Particularly as the outsourcing of company benefits and other functions has become more and more common.
The second section of the presentation was around the updating of some statistics around email authentication that have been shared at past events. Most notable among these was the fact that using global DNS request data supplied by Farsight Security, there were three times as many DMARC policy records published at the end of September 2017, compared to the end of September 2016. In addition, the governments of both the United States and the United Kingdom have both tripled the number of their domains that publish DMARC records over the first three quarters of 2017.
Readers are free to retrieve and read the presentation via this link.