Business email communications represents just that - your business.

In today's world, email is the lifeblood of business communications. It's used to communicate with prospective, existing, and former customers, partners, vendors, and for internal correspondence. With it's ability to quickly reach out to over 4 billion email users across the globe at minimal cost, it is no wonder why email is the primary method of communications for businesses today. What we cannot forget is that email communications is our official method of communications and therefore must be considered an essential part of the business that must be protected.

In addition to email's reach and expediency, criminals take advantage of its commonplace use and the ability to anonymously reach out to individuals without ever having to actually meet them. Phishing is an extremely cheap tactic used by scammers to con individuals and businesses out of giving up sensitive personal information (e.g., social security numbers, passwords, bank account and credit card information, etc.) or to transfer funds under the guise of official business. According to IBM's, Cost of a Data Breach Report (2020), the average cost of a breach at a company with under 500 employees was $2.64 million while the cost of a scammer to set up a phishing campaign can run as low as $34 a month (CSOOnline)!

In this blog, instead of focusing on how an individual can protect themselves from becoming a victim of a phishing attack, HOfficePro wants to share some high-level considerations a business should take to protect its brand from being used in external phishing campaigns and how to protect itself from becoming a victim.

External Communications: Protecting the Brand

This can't be overstated: Every time you send an email from your business domain, that email represents your business. Now, we are not going to go down the rabbit hole of what a professional email should look like (e.g., fonts, tone, content, etc.); instead, let's cover three basic techniques a business can employ to protect the validity of emails sent by the business while reducing the chances of malicious actors from spoofing your domain. These techniques include employing digital certificates, establishing DMARC authentication and policy, and registering additional domains.

Digital Certificates

A digital certificate is a public key infrastructure tool that allows email senders to digitally sign and encrypt emails. In addition to securing the data in both transit and at rest, digital certificates provide the recipient with assurance that the email originated from the sender and not an imposter. The intent is to provide your external recipients with a high level of assurance that the communications originated from an authorized source. For more technical information on how digital certificates work, check out Sectigo's explanation HERE.

If you choose to implement a digital certificate solution, you should use a trusted third-party digital certificate authority such as Sectigo, (formerly Comodo), Digicert, or IdenTrust. The advantage of using these services is that systems and services natively trust certificate authorities as they independently verify and attest to an applicant's identity.

A disadvantage to purchasing signed certificates from a certificate authority is the potential high cost and maintenance associated with them. Costs fluctuate depending on the type you are purchasing and the validity period which can range from around $16 for 30 days to $55 for 3 years - each. If cost is an issue, consider purchasing digital certificates for key personnel only such as the CFO and mandate that key communications (e.g., purchase orders, money transfers, etc.) must be digitally signed and a secondary authentication mechanism take place (e.g., telephone call) prior to taking any action.

DMARC

Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email authentication, policy, and reporting protocol that is set up in the domain owners domain name server (DNS) record. When used with the Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) authentication methods, DMARC can be configured by a business to stipulate two important things:

1. Authorized email sending sources (i.e., domains and services)

2. What to do with an email if the sending domain is not valid

When set up correctly, DMARC can protect the business' reputation (i.e., brand) by preventing delivery of emails sent by an unauthorized sender. For example, if a malicious actor spoofed a user from your email domain such as "From: CEO <ceo@legitimatebusiness.com>", email gateways will reach out to the domain's DMARC DNS record to find out if the sending email service is registered and certified as an authorized sending agent. If not authorized, DMARC policy can be set to alert recipient email security gateways to block the message.

Another important feature of DMARC is the reporting feature. When set up, reports can be sent to your security team to analyze email traffic patterns including which emails sent using your domain did and did not pass DMARC authentication. By analyzing these reports, you can identify trends including threats that have attempted to send email for your domain but lack the appropriate authentication to do so.

DMARC implementation is a low/no-cost solution that should be implemented as soon as possible. However, configuration of this requires that you account for all authorized sending sources such as primary hosting email services like Office 365 and send on behalf of services like Salesforce.

Registering Look-alike Domains

Another tactic you can employ to protect current and prospective clients and vendors from falling prey to criminals is to purchase look-alike domain names. On the low end, a scammer can purchase a look-alike domain for $10/yr; or if they want to be more sophisticated, $162/yr to set up digital certificates and a legitimate looking website. For example, @hoffice.com can be mimicked using the following email domain variants:

• @h0fficepro.com

• @hoff1cepro.com

• @h0ff1cepr0.com

• @hofficepro.org

• @hofficepro.info

Purchasing and controlling look-alike domains prevents criminals from owning domains and using them to send emails that can be easily confused as coming from your legitimate domain. For example:

From: Payment Office <payment@hofficepro.com>

From: Payment Office <payment@h0fficepro.com>

As you can see, it can be easy to trick someone into thinking that the communications came from the legitimate source, especially given that email use is so commonplace that the average office worker can receive and process well over 100 emails a day. All it takes is one quick oversight for a business to become a victim.

The low cost option of purchasing look-alike domains - between $10 to $20 a year per domain - is an an easy to absorb budgeting expense that can protect your business reputation and customers. An additional benefit is that it can protect the business itself from becoming a victim of spoofed emails attempting to socially engineer employees.

Internal Security: Protecting Internal Communications

Business email compromise (BEC) costs rose almost 6% in 2020 from $1.7 billion to $1.8 billion with the average single cost to a business amounting to approximately $93,000 per BEC (FBI, Internet Crime Report 2020). Even with a strong user education base, it only takes one momentary lapse in judgement by one individual for a cybercriminal to scam the company out of thousands, and in some cases millions, of dollars. Now, there are some simple low/no cost options available to businesses to help mitigate the chances of the business becoming a victim of BEC. These include setting up blocking rules, establishing external banner warnings, and stopping emails from being auto-forwarded.

Block Rules

Previously we discussed purchasing look-alike domains to protect your brand from being spoofed and being used to trick external recipients. While this tactic also holds true to the delivery of these messages to internal recipients, a business can further define and explicitly block delivery of a plethora of look-alike domains without spending additional funds simply by setting up email security gateway rules. Take a look at the Office 365 Exchange rule set to enforce blocking of emails originating from various look-alike domains below:

Now, when an incoming email attempting to mimic someone from the business arrives, the message is simply discarded. As additional look-alike domains become evident, simply add them to the list.

External Banners

When combined with a comprehensive security training and awareness program, setting up a warning message that an email originated from an external source can prove to be an effective way to get recipients to question the validity of the contents of the message. All messages that originate from an external source should be clearly identified to the recipient so that the reader's training can kick in.

In the above example, if one of the accountants in a business were to receive this message, the warning banner would indicate to the reader that the message could not have come from the authorized CFO internal email address. Now, instead of wiring the funds, the account can immediately alert the cybersecurity team who can in turn ensure that the domain "@hofficepr0.co" is added to the block list and any messages in the environment from that domain can be purged.

Restricting Auto-Forwarding Rules

Auto-forwarding rules can be a useful tool, however it can be even more beneficial when applied to a compromised email account. By setting up an auto-forwarding rule, either an external or internal malicious actor (e.g., disgruntled employee) can have communications automatically forwarded outside of the organization unbeknownst to anyone. Imagine proprietary information or social security numbers that are supposed to be closely guarded by your company being automatically sent to unauthorized recipients!

Using your email security gateway rules, a rule should be created and enforced that blocks auto-forwarded emails from leaving the controlled environment. In addition, an alert should be generated and forwarded to your cybersecurity team informing them of such activity for investigative purposes.

This setting should complement a baseline policy that restricts auto-forwarding rules from being created at the client or application level. For example, if an individual uses a preferred email client on their personally-owned device, any emails sent using auto-forwarding rules set on their client will fail at the gateway.

Summary

In this blog, we shared with you six different low to no cost tactics a business can use to protect the business brand as well as the business itself. While there is no way to completely eliminate the threat of becoming a victim, you can take steps to reduce your vulnerability footprint making the adversaries job much more difficult.