The Federal Trade Commission (FTC) Bureau of Consumer Protection released a study this month (March 2017) indicating that business entities could be doing more to stop malicious emails from hitting the inboxes of employees.  The goal behind many malicious emails is to trick individuals into turning over either their own confidential, personal information or confidential business information to which the individual has access due to his or her job responsibilities. Cyber criminals use social media sites such as LinkedIn, an entity’s own website, Internet search engines and other public resources to identify individuals with likely access to valuable information.  The attacker uses such information to compose an email that spoofs an otherwise legitimate sender, such as a bank, mortgage company, Internet service provider (e.g., AT&T,  Verizon, Spectrum, etc.), a business partner or even another employee.  These malicious emails are commonly referred to as “phishing email” or “spoof email”.

The FTC’s report, titled Businesses Can Help Stop Phishing and Protect their Brands Using Email Authentication (Report), states that many businesses are not taking advantage of available email screening tools that prevent people from falling victim to phishing and spoof emails.  The Report is timely because phishing emails attempting to trick company personnel into turning over employee W-2s, Social Security numbers (SSNs) or other personal information picks up during tax season as cyber criminals seek to file fraudulent tax returns and claim refunds.  (During the 2016 tax season, we posted an article reporting on rampant Form W-2 and SSN email scams, which is still relevant today. In January 2017, the IRS renewed its Alert for W-2 scams targeting payroll and human resource departments.) 

The Report highlights two major, low cost tools that are available to protect businesses and employees from spoof and phishing emails:

1) Domain level email authentication tools.  These tools enable an entity’s email servers to verify that an email claiming to be from a particular business actually came from a domain authorized by that business. A domain also known as the “domain name” is formed by rules and procedures within the Domain Name System (DNS).  It identifies an entity’s unique Internet Protocol (IP) address or source, such as computer server that hosts a website and communications via the Internet.  There are two forms of domain level email authentication tools: A) Sender Policy Framework (SPF), and B) DomainKeys Identified Mail (DKIM).

2) Domain Message Authentication Reporting & Conformance (DMARC) tool.  DMARC enables an entity to accomplish primarily two tasks: A) Gather intelligence on how the sender of the phishing or spoof email is misusing an entity’s domain; and B) Instruct the receiving email computer server how to treat messages that claim to be from an entity’s domain but that cannot be authenticated. DMARC can be used to screen out malicious email even for businesses that do not use a domain to send email or that use an alias for the main domain.

The Report further explains how these two phishing or spoof email identification tools operate and provides tips on how to best implement them.  The 10-page Report is available here.  To read the FTC summary of the Report with links to other resources, click here.

If you are interested in hearing from business and industry representatives along with academia and government experts on identity theft, check out the upcoming, daylong FTC conference, Identify Theft: Planning for the Future, to be held March 24, 2017, in Washington, D.C.  Attendees will examine the current state of identity theft, explore potential future challenges, and discuss how to address these issues.

If your entity has been attacked by cybercrime, contact a member of the Wyatt Data Incident Response Team, or other legal counsel, with experience in advising individuals, businesses and other organizations on how to respond to a cyber incident with an eye towards compliance with state and federal laws that may be triggered by the event.