Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Cybersecurity News

Waging War Against Email Phishing with DMARC

By Jonas Falck
dmarc_enews
May 27, 2014

An abundance of channels exist today to communicate through online messaging, yet email remains the most mature method to do so and is an integral part of people’s daily activity. However, despite the maturity of email, it is still seen as the best weapon that spammers and hackers have in their arsenal to gain access to a user’s valuable information.

In fact, cybercrime is estimated to cost the global economy nearly $113 billion a year. Research firm The Ponemon Institute estimates that, in 2012, hackers cost American companies $277 for each customer account put at risk. Today, we send and receive 183 billion emails per day (statistics from 2013) and with figures this high, you’d think that corporations have done everything they can to prevent cybercrime, but unfortunately, that’s not the case.

While most people are aware of the primary weapons that are used by today’s modern hackers such as “phishing” or “spoofing” email attacks, most people don’t know that the technology to prevent them already exists. Sadly, this technology has not become ubiquitous, leaving corporations in particular vulnerable to unnecessary security and financial risks.

The Evolution of Email Phishing:

The first email was sent in 1971 over a network known as ARPANET (Advanced Research Projects Agency Network). A little over 10 years later in 1982, the first standardized email protocol known as SMTP (Simple Mail Transfer Protocol) was finally implemented. However, it took another decade for email to mature beyond these tools.

Although phishing attacks first began to appear in the 1990s, they have been the most common form of email attacks for the past five years. New sophisticated phishing attacks are now a daily occurrence, with banks or larger well-known brands usually being the target. These organizations, such as Skype, Netflix, Apple and Target, usually have a large amount of clients, so spammers can go after millions of users knowing that a strong percentage of recipients will be customers and be exposed to malicious phishing attacks.

The purpose of phishing email attacks is to fool recipients into believing that the message is legitimate, so that users will click on the phishing email and be prompted to download malware in an effort to hack their computer and steal personal information. Phishing scams look identical to normal emails, and they are sent by familiar email addresses one would typically receive messages from. Phishing attacks are often so well crafted that not even savvy computer engineers can manually detect the difference between a trusted sender (the supposed sender) or a phishing scammer.

The usual infection caused by these attacks is malware being installed on targeted computers, enabling hackers to hijack sensitive user data, bank information, credit card details or login credentials. Phishing emails commonly contain Web links that look accurate on first inspection, but ultimately fool users into clicking on links that redirect them to a proxy website containing malware, viruses or scripts. In some cases, these proxy websites look identical to the website they are replicating, so these attacks usually catch unsuspecting users. Today, we see that these attacks are increasingly common and extremely difficult to identify.

Another common technique that spammers use during phishing attacks is known as

“spoofing.” Email spoofing is used to fake the “from address” with any other type of address, as the SMTP standardization process allows for the “from address” to come from any source. By spoofing the “fromaddress,” it is nearly impossible for recipients to determine if senders are legitimate or malicious through manual detection.  

Enter DMARC.

The Solution:

“DMARC” (Domain-based Message Authentication, Reporting and Conformance) is an open-source technology founded in 2007 by a group of household names (Paypal, Yahoo, Google) who have consistently fallen victim to phishing and spoofing attacks. DMARC was developed to eradicate phishing and spoofing issues by ensuring that users never have to ask themselves: “Do I trust this sender?”or “Has this message been tampered with?”

Instead, DMARC helps to authenticate senders and enable receivers to reject unsolicited messages so that users never have to second-guess what is showing up in their inboxes. DMARC is a combination of DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework), making both message signatures and email origins trustworthy. In addition, built-in reporting capabilities enable systems to interact with DMARC and build policies based on learned behaviors. In order for DMARC to be 100-percent effective, it needs to be adopted by every email provider, making it mandatory for both senders and recipient email systems to verify for DMARC.

The fact of the matter is that phishing attacks would not occur if most organizations (companies, government and other domain owners) would start using DMARC, specifically for validating emails. An example of this would be deliberately misspelling the ‘from address’which can easily be mistaken, by using zero “0” instead of the letter “o.” This technique is known as “spoofing.” These spoofing methods will explode in popularity once DMARC is used more widely, preventing spammers from phishing and using fake, yet seemingly official email addresses from brands. Through educating users, we can spot a spoofing attack with the naked eye, however phishing attacks require DMARC, as even skilled computer technicians find it difficult to identify sophisticated phishing attacks. 

For those wishing to implement DMARC for a brand or corporation, the first step is to visit http://dmarc.org/resources.html,which provides users with a complete list of training tips, articles, support tools, products and services, as well as message gateways, filters, or hosted mailbox services that all support and provide information about DMARC.  

The Future of Email Security:

Fighting malicious spammers is a cat and mouse game that requires security vendors to constantly innovate and build smarter detection techniques, set new standards for the security industry and continually improve their solutions. New phishing threats have become part of the daily news cycle. Astonishingly, phishing emails currently infect more than 40 million users every year, yet we already have the technology to eradicate the threat with DMARC.

Twitter Postmaster Josh Aberant recently stated that after implementing DMARC for Twitter in February 2013, Twitter branded phishing emails dropped from 110 million per day down to just a few thousand. We can be sure that those few thousand emails that have slipped through the net have come from corporations with an email system that doesn’t implement DMARC.

For DMARC to work effectively, corporations, enterprises and Cloud Hosting providers must adopt DMARC across the board – only then will we see a complete end to phishing attempts. If these organizations do not recognize DMARC, then malicious phishing emails will get through to them.Corporations and hosting providers are lagging behind as they generally use their own email system, which does not integrate DMARC. Just ask Target, which last year was exposed by a phishing email that infiltrated 40 million customer accounts.The security industry is traditionally slow to adopt new protocols, but there is no reason that all security vendors, brands, corporations and businesses cannot apply DMARC in their email systems to recognize the brands that have already applied DMARC.

It is inevitable that spammers will continue to evolve and find new ways to infect our computers, phones, tablets and next, our “Internet of Things” applications. While household names like Gmail, Yahoo, and PayPal have implemented DMARC, this in turn has pushed spammers to begin targeting corporations that do not use DMARC. In fact, we discovered that of the Fortune 1000 companies, only 5.1 percent had implemented DMARC. However, the good news is that phishing and spoofing emails are something we can easily prevent and the only thing stopping us from doing so is everyone’s willingness to adopt DMARC as the ultimate solution.   

KEYWORDS: cyber risk mitigation cybersecurity tools DMARC tools email spoofing phishing

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Jonas Falck, Halon Security CEO and Co-Founder, www.halonsecurity.com

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Person working on laptop

Governance in the Age of Citizen Developers and AI

patient at healthcare reception desk

Almost Half of Healthcare Breaches Involved Microsoft 365

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Magnifying glass

    62% of phishing emails can bypass DMARC verification checks

    See More
  • phishing-security-freepik1170x658v4.jpg

    Preventing email phishing attacks this summer with 3 defensive measures

    See More
  • Doctor-holding-stethoscope.jpg

    Less than 1 in 5 U.S. clinics are protected against phishing

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing