Gone Phishin'

When it comes to bad email, spam gets most of the ink.  Lots of articles get written, reports get issued, and data gets crunched, all in the service of defining and describing the problem of spam.  Spam, you might say, has a really good PR strategy.

Phishing, on the other hand, flies much more under the radar.

This shouldn't be the case. While phishing attacks seem to represent a smaller volume of messages (though hard data on that piece is difficult to find), they are extremely destructive.

Let's start at the top. The Anti-Phishing Working Group (APWG) reports the proportion of infected computers was nearly 48% Q4 2009.  While that is a slight decrease over Q3, it still means that nearly half of computers are infected. 

But that's no wonder when you consider that the APWG received roughly 30,000 reports of unique phishing email from consumers for each month in the fourth quarter of 2009. This metric likely undercounts the number of actual attacks significantly, since not all consumers know to report these emails to the APWG and not all consumers recognize the emails they receive as phishing attempts.  When my firm looks through spam trap and "report" spam reports from our reputation network, we've been surprised at which companies have been phished.  It's not just the banks; it's pretty much any company with a recognizable brand.



The impact on individuals is obvious.  Accounts get emptied, identities are stolen.  And nobody wants to be the guy who clicked on the link that brings down the entire office system.

The impact  on businesses is two-fold. First, many businesses make up the losses when their consumers are phished. This is especially true for financial services, and it represents a multi-billion-dollar problem.

But the second problem is that phish attacks undermine confidence in the channel. Consumers become wary, especially of email from brands that are often phished.  Financial services are the hardest hit, but they are by no means alone.  Phishers target retailers, payment processers, social networks and more.

And the ROI impact when consumers turn away from the email channel is profound.  I spoke with someone at a very big bank who said that customers who use email are 50% more valuable to him than those who do not.  These customers represent lower service costs and they have higher propensity to buy additional products, so they actually generate more revenue.  His goal is to bring more consumers into the email channel.

Email authentication is one path to eliminating many forms of phishing attacks.  Unfortunately, the adoption of authentication protocols by companies sending email has been slow and far from consistent. Companies have found it surprisingly difficult to figure out where all their email is coming from. The bigger the company, the more places there are to look. Because companies have struggled, ISPs aren't sure whom to trust. Can they block all unauthenticated email from, or will this cause customers to miss vital communications? Even in cases where companies have specified that unauthenticated email can be "discarded," the ISPs lack confidence that the company knows what that means or has implemented the protocol correctly.

Still, there are some trends in the market that give me some hope:

More ISPs are implementing authentication. The big boys have been leading the charge on authentication for a long time now. But the many other mailbox providers have been slow to implement authentication.  Now, we are seeing that more of the ISPs and mailbox providers we're working with have implemented or are in the process of implementing authentication.  Specifically, we see a lot of them implementing Domain Keys Identified Mail (DKIM). 

There are multiple initiatives underway to help mailers figure out where all their email is coming from to make authentication easier. There are several companies working on services to allow mailers to easily audit their mail streams -- to find out where all the mail is coming from.  In addition, there is work going on at the Internet Engineering Task Force (IETF, the organization that sets internet standards) to make it easier to find failed authentication.  Maybe you missed a server or have incorrectly authenticated a message -- this new standard would help you find those problems.

There are multiple initiatives underway to help mailers indicate that unauthenticated mail can be blocked.  The IETF released the Author Domain Signing Policy (ADSP) standard last summer.  This allows senders to signal to receivers what should be done with messages that fail authentication.  In addition, the same companies that are building better auditing tools are also creating registries of domains that are authenticating all their mail so that unsigned mail can be blocked.

Fixing this problem and eradicating phishing is going to be a long-term effort and require coordination  across the email ecosystem.  In the short term, doing everything you can to get all your email streams properly authenticated is one big step you can take to help in the overall effort. 

2 comments about "Gone Phishin'".
Check to receive email when comments are posted.
  1. Bruce May from Bizperity, May 12, 2010 at 10:50 a.m.

    Thanks for this look behind the curtain. I can't help but wonder why all these efforts to cure the problem have been so long in the making. The answer seems obvious and easy to implement: "the same companies that are building better auditing tools are also creating registries of domains that are authenticating all their mail so that unsigned mail can be blocked." Would not all companies using email readily embrace that approach? I would.

  2. Dave Fiore from davemail, May 12, 2010 at 10:59 a.m.

    Good article. I sometimes run into the opposite problem, though. I am creating email newsletters for clients and sending them proofs through our servers as one would expect. The problem comes when the proofs get blocked (to the client and others using the same domain in their email addresses) because the email address does not match the server for the email.

    The company server knows the email is coming from someone other than the person it recognizes by the email address.

    While I understand the value in that, it causes a real problem. It is hard to convince a client about solid deliverability when they cannot even get them.

    Lately, we have resorted to sending them the URL so they can view them online.

    I would love to hear any suggestions for a better solution.


Next story loading loading..