The industry needs to do more to prevent the sharp rise in COVID-19 phishing attempts.
In an open statement shared with Infosecurity, the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) made a call for further steps to be taken to “authenticate and secure sending domains and email addresses by deploying email authentication at scale and at enforcement.”
It said preventing rampant phishing, emboldened and bolstered by the global pandemic, should be the top priority for domain owners, as email authentication is crucial to ensuring the flow of critical information.
It explained that from organizations, including those on the front lines of the battle against COVID-19 and those involved in the impending general election in the United States and the rest of the worl,d must be protected from misinformation campaigns and phishing.
“The deployment of correct email authentication requires a careful and measured approach,” the statement said.
M3AAWG and its members strongly encouraged domain owners, who operate email programs, to adhere to the following email authentication parameters when publishing and signing their various records:
- Publishing SPF records with at least ~all, or -all if the domain does not send email
- Signing all mail with aligned DKIM
- Publishing DMARC policies for organizational domains — even non-sending ones — at enforcement: using at least p=quarantine, although p=reject is preferable, across the entire domain and all subdomains without exception
The statement warned that, during this time of pandemic, “it is more essential than ever that malicious actors are not able to impersonate trusted sources of information or assistance.”
The full suite of email authentication protocols is the best way for a sender to establish and affirm their identity when sending email, and by creating barriers to impersonation, a sender’s identity becomes more trusted and harder to forge, thereby restoring trust because the sender is who they claim to be.
M3AAWG acknowledged that implementing email authentication can be challenging and time consuming, current circumstances notwithstanding, so M3AAWG and it members are ready to help the sending community with resources, free tools and documented best practices to protect their brands, domains and email addresses from impersonation.
“Combatting the assault on our inboxes is a collective endeavor, the importance of which is even more profound given the pandemic and the increased importance of achieving digital proximity while remaining physically distant,” it said.
In an email to Infosecurity, David Appelbaum, CMO of Valimail, said the company is seeing a marked rise in DMARC deployment across the board, not just from its own customers, but among all domains worldwide.
“The rash of COVID19-themed phishing attacks, many of which have spoofed those governments and NGOs left unprotected by DMARC, has absolutely contributed to an increased awareness of DMARC (not to mention DKIM and SPF),” he said.
“M3AAWG is absolutely right to recommend DMARC, and in particular, to insist on the importance of configuring it with an enforcement policy. Anything less leaves domain owners open to being spoofed by the worst kind of opportunistic criminals."