The past week has been one of extreme highs and lows for Hillary Clinton as she made history as the first female presidential candidate of a major political party while emails from the Democratic National Committee were hacked and released online.
Although the United States has not officially accused Russia of the security breach, Clinton suggested that Russian intelligence was behind the email hack in an interview over the weekend with Fox News Sunday.
Evidence points to spear phishing, or an email spoofing attempt targeting a specific organization, as one of the main purveyors of the attack.
Email phishing has also significantly increased this year, and the first quarter of 2016 saw the biggest jump in fraudulent scams in more than a decade, according to the Anti-Phishing Working Group (APWG). The global regulatory group recorded a 250% increase in phishing sites between October 2015 and March 2016.
Spear phishing and whale phishing, or email spoofing attempts impersonating leaders and CEOs, are also notoriously difficult to prevent because spam filters do not protect against social engineering attacks.
“There are no defenses against it,” says Markus Jakobsson, CTO and founder of security firm ZapFraud. “It’s not outlandish like Nigerian scams. It’s everyday behavior, such as acting like a colleague or requesting transfers to be made -- that makes it tough. It all comes down to mimicry.”
Jakobsson says cybercriminals leverage social media, corporate networks and data from past breaches to pose as individuals that email recipients have relationships with. He recommends that email users analyze the content of emails and look for known phishing story lines. For example, any wire transfer request with specific instructions should be re-evaluated because vendors' companies have previous relationships with should already have relayed financial instructions.
Authenticating emails is another solution to deter phishing attempts, but Jakobsson says DMARC is not enough to protect brands from data breaches.
“DMARC is great, and it’s fantastic for what it does,” says Jakobsson. “But DMARC doesn’t protect everyone because only about 25% of users have it deployed."
DMARC, or Domain-based Message Authentication, Reporting & Conformance, is an email authentication tool that detects spoofing attempts, when headers are changed to make it appear like an email is being sent from a legitimate source, but it does not protect against lookalike domains.
Dimitri Sirota, chief executive officer of security firm BigID, suggests that brands may want to prioritize preventative measures to limit exposure as opposed to detection services.
There is a certain degree of inevitability now of getting breached,” says Sirota. “Its increasingly becoming almost predictable that you will get breached. That doesn’t negate the need for defenses, but how do you take certain precautions in advance to be ready in the event of a breach?”
Sirota recommends email marketers practice preventative hygiene measures, such as deleting unnecessary data, and focus on response time to quickly notify who has been impacted by the security assault.
“Marketers are going to have to figure out what is worse – losing their data or losing their jobs,” says Sirota. “ If exposure can be avoided through simple data list hygiene, because of omission or laziness or just reaching one other customer, that’s unacceptable.”