Advanced SOC Operations / CSOC , Governance & Risk Management , Incident & Breach Response
New Strategies to Fight Email Fraud
Return Path's Robert Holmes on New Security SolutionsEmail fraud has existed since the advent of email. But the schemes are evolving and impacting organizations' bottom lines. Robert Holmes of Return Path offers new strategies to defeat fraud attempts.
Holmes, the general manager of Return Path's email fraud protection business line, says fraud schemes aren't just growing - they are growing at an exponential rate. And the key reason organizations have not eradicated email fraud? Perception, Holmes says.
"We've not fixed it because of a perceived economics problem," Holmes says. "The perceived cost of fighting it is greater than the perceived benefit of fighting it."
But organizations also misperceive exactly how pervasive and damaging email schemes are, he says.
"Year over year, we're seeing growth of 20 to 25 percent in volume of email attacks," Holmes says. But as concerning as the volume of attacks is the complexity. "It's getting more and more difficult to differentiate between legitimate email and a spoofed email that may contain some malicious payload."
In an interview about email fraud protection, Holmes discusses:
- Email fraud impacts on organizations;
- Successful strategies for defeated email fraud;
- The future of email fraud prevention.
Holmes is the General Manager for the Email Fraud Protection group at Return Path. He has been in the brand & fraud protection industry for 14 years, helping major corporations understand, quantify and manage risk across the digital channels. Having previously held global roles running the product teams at Corporation Service Company and Melbourne IT's Digital Brand Services, Holmes is now helping businesses implement solutions to protect their brands & customers from threats in the email channel. He has a MA (Hons) degree in Philosophy, Politics & Economics from the University of Oxford.
Gaps in Defending Email
TOM FIELD: To cut right to it, email fraud has been around forever, as long as we've had email. Why haven't we developed a better way to fight it?
ROBERT HOLMES: Email fraud has been around for a long time. Certainly I've been involved in trying to fight it for 10 years or so. We've seen year-on-year growth, exponential growth actually, in the last couple of years. I suppose an overarching comment I would say is that we've not fixed it because of a perceived economics problem. The perceived cost of fighting it is greater than the perceived benefit of fighting it. I think the biggest problem here is probably perception, that the costs outweigh the benefits. There are many solutions out there, but we are left with this residual risk, and resolving and fighting that residual risk is difficult. I think that because of this perception, it's too difficult and that we're comfortable with that residual risk. We've probably not seen the level of innovation and coming up with new solutions that you might have done if there wasn't this perception gap, if that makes sense.
Email Fraud Worsening
FIELD: You mentioned perception, and I think that organizations perceive that they've got a pretty good handle on fraud. But in counter to that, how is the email fraud problem actually getting worse than organizations might think and impacting their bottom lines?
HOLMES: I think the first thing is about volume, not so much the size of the attack, but the volume of attacks that we see. Year-on-year we're seeing growth of 20-25 percent in terms of the volume of email attacks targeting not just organizations, but their customers beyond their firewall. That's the first issue; the volume of attacks is going up.
The second issue actually relates to complexity and sophistication. This is manifesting itself in more and more news headlines, people being breached and customers being compromised. It's getting more and more difficult to differentiate between a legitimate email and a spoofed email that may contain some malicious payload. Those probably are the two biggest trends that we see: an increase in the volume of attacks and an increase in the sophistication.
How that impacts organizations - and I think this is where the perception comes into play - is that businesses are busy making money, and the idea of resolving an email fraud problem is not necessarily the item which is going to get much attention if you don't actually know what it's doing to your business. Unfortunately, some companies are finding the impact out too late. There are some celebrated cases which were in the U.S. There were a couple of major organizations that got hit recently. In Europe, there was a travel company that ended up having to reimburse up to 10,000 of its customers through a booking fraud scam.
Now, those are very obvious cases where you can tie financial losses back to a scam. But I think there's a more pervasive risk, and that is what it's doing to the trust in which your customers are placing in your brand. There is something of a tax on businesses - a hidden tax - that people are paying for this pervasive influence of email fraud. In actual fact, I think it starts with getting some visibility into the problem. People don't know what they don't know.
Improving Mitigation Techniques
FIELD: Robert, we had a conversation a couple weeks back, and you said something to me that stood out. What you said is we need to be bold and think big. What exactly do you mean by that?
HOLMES: As I mentioned before, I've been involved in fighting email fraud for some time now. Until relatively recently, really it was the same-old, same-old. It was what we in the industry refer to as the whack-a-mole approach; it's find a scam and shut it down. But there's a problem with that. The problem is that it's going to take you a while to find the scam. In fact, there are some scams that you might not even find.
The second thing is it's going to take you a while to shut that scam down. If you consider that the industry average may be 28 hours to take down a fraudulent website, that's 28 hours of exposure that your customers are open to. Any email marketer worth their salt will tell you that during those first 28 hours after an email is sent, the majority of the damage is already done.
What I mean by being bold is we've got to think differently. This is something where I think there have been changes in recent years, but I think we need to probably understand the impact to businesses, probably understand the importance of trust as a catalyst for doing business online, and then probably think about what we can do to better equip filters of email to better spot and ideally block the bad email. We need to be bold. We need to say to ourselves it is not acceptable for [our] brands to be used as a vehicle to commit fraud online. We expect more of the Internet community to protect our brands online because our customers are expecting more of our brands to do more to protect them online.
Most Effective Strategies
FIELD: In the face of the trends that we've talked about previously, what do you find to be today's most effective strategies for defeating email fraud?
HOLMES: I think there are two prongs to that. We want to help inform filtering decisions so that more of the bad email can be filtered upstream. Ideally you want to nip it in the bud such that the scam doesn't even reach its intended victim. We want to help inform better filtering decisions.
The second type of decision that we want to influence is kind of a mitigation process and mitigation decision. We need to break the chain. If we can't keep the bad email out of the inbox, how can we as quickly as possible detect it and as quickly as possible disable it? That is actually multifaceted in and of itself. The traditional whack-a-mole model that I alluded to before is actually going to find the host provider of the malicious content and request that that site be taken down. There's a lag in that. It's important that there's a lag in that.
There are filters upstream of that. We can get malicious URLs fed into toolbars and into anti-virus software. We can plug it into browser providers, indeed into devices, so that we can break the chain so that if somebody does happen to receive that fraudulent email and click on the link, it's dead; it does not resolve to fraudulent content.
Moving upstream, I think probably the most interesting thing that we have seen change in the last three years - indeed it was three years ago this month it launched - is a technical standard called DMARC. DMARC stands for Domain-Based Message Authentication, Reporting and Conformance. ... They really wanted to seek to address this issue of preventing fraudulent email getting into the inbox in the first place, which really comes down to authenticating the identity of the sender of the email in the very first place. DMARC was launched three years ago this month, and what we're seeing is greater and greater adoption of that. Three years ago there was zero-percent adoption; now there is probably 15 percent adoption, and we expect that trend to continue rather aggressively over the next couple of years.
Email Fraud Protection
FIELD: Bringing this back to Return Path's Email Fraud Protection business, what are some of the successful solutions that your customers are deploying?
HOLMES: It's really kind of an expansion of those two groups of decisions that we alluded to. Return Path is at the center of the email ecosystem. We work with senders of email and brands that wish to protect themselves. On the other hand, we work with ISPs around the world, and we help those ISPs around the world make better decisions about what is good email and what is bad email so that they can block the bad email. If they don't block it there, at least report it to us and we can then make that available in our email intelligence ecosystem.
So what are we doing? We are definitely strong advocates of DMARC. It is probably the most robust and successful solution launched in recent years and forms part of our solution. But we recognize that DMARC actually addresses - based on our research into this space - probably 30 percent of the problem. Seventy percent of the problem will not be addressed by DMARC and our other services of expanded threat intelligence and mitigation then kick in. Essentially we are consuming vast amounts of data from around the world, billions of emails a day, and we are, in real-time, converting that into intelligence that can inform better and quicker mitigation services.
Looking Ahead
FIELD: If you could sum it up, what do you see is the future of email fraud prevention?
HOLMES: Prevention is a great word, and I'm pleased you used it because I would love to think that and the mitigation, the after-the-fact solution, would be marginalized. I don't think that it will ever be marginalized to the point that it is redundant. I think there will always be a need for threat intelligence and mitigation. But my expectation and hope is that we will see better solutions in the first class of decisions that the receiver of email have to make, that of actually filtering bad email before it hits the inbox.
For the future, I definitely see adoption of DMARC increasing. I would expect by the end of next year it goes from 15 percent to probably more like 50 or 60 percent of those targeted by email fraud. But I think that DMARC will not be enough. I'm fully expecting there to be some conversations. Indeed, some of these have started about the display name. For example, Tom, if I was to send you an email, you wouldn't see Robert.Holmes@returnpath.com; you would see Robert Holmes, and DMARC does nothing to address that. Indeed, there is no standard today that addresses what I would call display name spoofing.
What is the future of email fraud prevention? The mitigation processes will hold true and DMARC will hold true, but I expect to see greater innovation in identifying up-front and filtering out the bad email through other identification and authentication processes.
How to Discover Security Gaps
FIELD: My final question for you: Given everything we've talked about today, how can organizations discover their own security gaps when it comes to email fraud protection?
HOLMES: I mention this because of the fact that it's cost-neutral and will give you great intelligence. As I said at the outset, you don't know what you don't know. A great starting place is to create a DMARC record. By creating a DMARC record, you actually automatically start seeing data in relation to mail streams being sent across those domains you own, and you will see this data coming from Hotmail, Yahoo, Gmail and AOL. The data set is really rich. It's really insightful. We very often use that to give our customers an idea as to [if] you have a problem. If you have a problem, how big is it, what is the nature of it and does it merit a solution?