In recent weeks, there have been reports of sophisticated phishing attacks disguised as official communication from the cryptocurrency platform, Coinbase. These phishing emails closely mimic Coinbase’s branding and language to build recipient trust and prompt clicks on malicious links. The subject lines of these emails generally follow a format: the sender’s address starts with either info@[domain], noreply@[ domain], or contact@[domain], followed by:
- Action Required: [string of text]. [date and time]
- Please complete your Coinbase verification
- Restricted account — You need to complete your Coinbase verification
Red Sift’s research indicates that the attackers are forwarding these emails from Google using Google Groups. The attacker will create a domain on Google Workspace, and then email the group that was set up from the spoofed domain. By using Google’s IP reputation, lack of guardrails in Google Groups, and use of ARC, they hope to bypass spam filters.
Notably, one bad actor’s email address, traced through a reverse search, was linked to 400 domains registered since September 2024.
What is phishing?
Phishing emails rely on a technique known as email spoofing, which involves falsifying the sender’s address to make the email appear as though it’s coming from a legitimate source. This tactic effectively deceives recipients,, making it hard for even cautious users to distinguish fraudulent emails from real ones. Bad actors masking as Coinbase make the user more likely to fall for urgent or alarming messages given the financial implications of not taking action.
Coinbase is just one of many high-profile brands exploited for its recognition, routinely imitated for use in phishing campaigns. This prevalence underscores the urgent need for companies to take proactive measures in securing email domains against unauthorized use, ensuring that their customers aren’t exposed to increasingly sophisticated phishing scams. A comprehensive approach to email security, including advanced authentication protocols like Domain-based Message Authentication, Reporting, and Conformance (DMARC) is essential to mitigate this risk.
Implementing a DMARC policy is the first step in combating email spoofing. DMARC allows organizations to define who is authorized to send emails from their domain and specifies how to handle messages that fail authentication checks. This is how Red Sift was able to identify the attack, after a noticeable spike in DMARC rejections from emails sent via Google. Achieving a DMARC policy of p=reject is the most secure approach, as it ensures that any unauthenticated email that fails the verification process is automatically blocked, protecting the sender and receiver.
How Red Sift’s OnDMARC can support financial services with email security
Red Sift’s OnDMARC solution is a powerful tool for companies aiming to achieve DMARC compliance with ease and confidence. OnDMARC guides businesses through the process of setting up and optimizing their DMARC policies, helping them transition from p=none or p=quarantine to p=reject. OnDMARC simplifies this complex process, helping authorize legitimate senders while blocking fraudulent emails. This level of protection is invaluable for companies like Coinbase, which face heightened impersonation risks.
OnDMARC also provides detailed reporting and forensics, allowing companies to monitor email authentication attempts and detect any unauthorized email activity early, thereby proactively mitigating potential risks. This visibility has played a vital role in protecting Red Sift customers from phishing attacks disguised as legitimate Coinbase emails. In addition, OnDMARC also offers support for organizations at all stages of DMARC implementation, whether they’re just starting or are looking to refine an existing policy. For high-traffic domains, this service is critical in providing assurance that their emails are authenticated and that any unauthorized attempts are promptly rejected.
Today, managing cybersecurity threats requires a robust and automated approach, designed to counter the increase in phishing and spoofing attacks. Having strengthened DMARC protection through a service like OnDMARC can significantly enhance a company’s email security posture. For financial services looking to protect their customers and maintain their brand’s reputation, OnDMARC offers a reliable and scalable solution, empowering them to stay ahead of bad actors.
