Is DMARC the Answer to the Phishing Problem?

Phishing is a global problem plaguing many businesses.  The statistics on phishing alone are scary. These three in particular should scare you: 65% of U.S. organizations were victims of a successful phishing attack, 1 in 15 U.S. Government employees are exposed to phishing attacks, and 3 billion phishing emails are sent per day.

Phishing is the problem, so what is the solution for your business?  While there is no “magic bullet” that will end phishing entirely, there are a number of things you can do to help lessen your business’ risk.

  1. Cyber awareness training. Training of everyone in your organization is just one step to prevent phishing emails from disrupting your business.  Teach staff how to recognize suspicious emails by looking at headers, or simply highlighting links to show the true domain name.  Often, these links will lead to a site asking for credentials or ask a user to download a trojan horse, which can lead to ransomware being installed on company devices. If a user still isn’t sure if they are reading a legitimate email, teach them that it is OK to call “the sender” just to ensure that the email is really from them. It is also important to train employees that phishing isn’t just limited to email, but that it can come in the form of SMS messages or over social media. 
  2. Anti-Spam/Anti-Malware Software is a must. Anti-spam software uses a set of protocols to determine unsolicited and unwanted messages and prevent those messages from getting to a user’s inbox. If you can keep the phishing emails from ever arriving in a user’s mailbox, then that solves the problem of a user mistake.  However anti-spam software is not perfect: spoofed or hijacked accounts are still problematic.
  3. Domain-based Message Authentication, Reporting & Conformance (DMARC). DMARC is an email authentication protocol that, when implemented, means only authorized senders can send email using the domain, preventing spam emails being sent. This helps stop spoofing attacks of your business’ email domain. With DMARC you have the ability to protect your domain from unauthorized use.  DMARC is also useful for generating aggregate and forensic reports, for monitoring email traffic and identifying potential security risks. A report by email security company Valimail found that “1.9% of email from domains without DMARC enforcement is suspicious, while just 0.4% of email from domains with DMARC enforcement is suspicious.” It also seems that domains without DMARC are 5 times more likely to be the target of phishing emails than those that use it. 

While there is no magic that can make phishing disappear completely, it seems that DMARC, when used in conjunction with cyber awareness training and anti-spam software can help reduce your business’ risk of being a victim to a phishing attack.