• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar

Red Sift Blog

Democratizing technology essential for cybersecurity.

Red Sift Blog
  • redsift.com
  • Featured
  • About
  • Get in touch
You are here: Home / Email / 20 years on and email impersonation remains rife

20 years on and email impersonation remains rife

by jay
October 4, 2017July 25, 2018Filed under:
  • Email

Did you know that every October we celebrate the birthday of the original email? In October 1971, computer engineer Ray Tomlinson successfully managed, after several months of trying, to get an email message to send from one computer to another sat beside it via ARPANET, a network of computers that served as a precursor to the internet.

While email turns 46 years old this month, it was not until the commercialization of the internet in the mid-90s that it truly took off as one of the world’s preeminent communications tools. Unfortunately, its meteoric rise also spawned massive misuse as over-zealous marketers followed by unscrupulous scammers began peddling unwanted wares, bogus communiqués and even computer viruses, to the masses.

Yes, email scams are more than 20 years’ old. In fact, phishing scams — long associated with email — actually began a few years’ earlier via AOL instant messaging, with attackers posing as AOL staff and demanding that users verify their accounts by handing over passwords or billing information.

However, as email took over as the preferred means of customer/organization engagement, the scammers quickly switched over to exploit this channel. egold, a digital gold currency founded in 1996, was one such target for phishing exploits and financial malware while email scams were in their infancy. Attacks against the company culminated in a major phishing scam in June 2001 targeting members of its mailing list, followed post-9/11 by a second round of phishing, disguised as ‘identity checks’ following the attack on the Twin Towers.

Financial institutions were always an obvious target for the scammers; these organizations not only held rich datasets on their customers, but, if they could get hold of the customers’ account details, they could steal from them directly. No surprise then that the technique used in the e-gold phishing scam was quickly adopted for use against customers of other financial institutions.

eBay and PayPal were two other companies that found themselves on the wrong end of email scams a decade ago, and which are still battling it out to rid themselves of email impersonation today. Back in 2006 it was revealed that 75% of all phishing scams were focused on eBay and Paypal, with phishing emails taking recipients to imitation websites of eBay and Paypal, and using their login details to commit identity fraud.

Another popular victim of the email scam was HMRC. Not only was it a ‘trusted’ entity in the eyes of email recipients, but it could legitimately demand specific pieces of personal or financial information from recipients. It took HMRC until 2007 to publish its first guidance regarding phishing emails and bogus communications, which came in response to a spate of fraudulent emails advising recipients that, ‘After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of £210. Please submit the tax refund request and allow us 6–9 days in order to process it.’ (https://testrs49814734.files.wordpress.com/2017/10/58f78-scamhmrc.png)

The tactic adopted by these scammers was markedly different to some of those gone before; instead of scaremongering, the authors attempted to induce recipients into parting with their details based on the promise of a financial rebate. It was a highly successful change of approach that let to a major upsurge in HMRC-related scams, to the extent that by 2016, a Which? survey found that 40% of adults had received phishing emails purporting to be from HMRC.

In response to this, HMRC deployed email authentication protocol DMARC (Domain-based Mail Authentication and Reporting Conformance), which is globally acknowledged as the only way to guarantee the legitimacy of email ‘from’ addresses. In the same year as the Which? survey, HMRC was able to stop 300 million emails in 2016 simply by achieving DMARC protection.

So where does this leave us in 2017? Well, email security providers continue to try and block fraudulent messages from false domains that purport to be from some of our well-recognized companies, as well as attempting to identify more personalized, targeted attacks that seek out known customers of other, perhaps less prominent, organizations. But where these systems fail is in clamping down on email impersonation from legitimate email domains. www.gov.uk may now be safe from spoofing thanks to DMARC deployment, but the same cannot be said for the majority of legitimate private sector domains. 46 years since the first email, and more than 20 years from the first email scam, this blind spot in organizations’ email security defenses remains worryingly exposed.

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)

Related

Tagged:
  • Email
  • Fraud
  • Phishing
  • Security
  • Technology

Post navigation

Previous Post OnDMARC Newsletter: September 2017
Next Post Rebuilding full text search in Go for our server-less environment

Primary Sidebar

Recent Posts

  • 2021 The Threat Landscape: Brand protection and BEC attacks lead the charge
  • OnDMARC Wins “Best-Of DMARC” Award On Review Platform Expert Insights
  • The case for embracing DORA
  • Red Sift – Closing the Net on the Phishing Problem
  • Beware of this common NHS Covid-19 Vaccine email scam

Archives

  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • November 2016
  • October 2016
  • February 2016

Categories

  • AI
  • BEC
  • Coronavirus
  • Cybersecurity
  • Deliverability
  • DMARC
  • Email
  • Finance
  • Labs
  • News
  • OnINBOX
  • Partner Program
  • Red Sift Tools
  • Uncategorized
  • Work @ Red Sift

Copyright © 2021 · Milan Pro on Genesis Framework · WordPress · Log in