It was a dark and spooky night. Rain lashes the roof and demonic shrieks and groans come from the graveyard outside as you huddle close to the port-a-heater under your desk. A ding comes from your email inbox: could it perhaps be a message from beyond the grave?

Oh wait…it’s actually just a more everyday sort of spook: a scam email. 

Look, it is actually pretty scary out there on the internet. There are a lot of nefarious types out there looking to compromise the security of your business. Currently, one of their most effective scams is to impersonate companies or trusted individuals in a method known as Phishing. 

Phishing is the practice of sending emails pretending to be from reputable sources in order to gain sensitive information (passwords, credit card numbers etc), and it happens a lot. Scams of this nature account for around 90% of data breaches at companies and the volume of them being sent grew by up to 65% in 2019.

Well jinkies, how bad could it be if your security is breached? According to the 2019 IBM data breach report, the average cost of a data breach can reach up to USD $3.92 million (upwards of AUD $5.76 million) for large enterprises. 

For businesses, scammers have improved their methods and the attacks have become more targeted – aiming at a handful of people and impersonating a trusted email address instead of a blanket spray. So these days, the big rubber mask is going to look like your boss instead of a werewolf. Without a properly configured email authentication protocol for your domain, the scam email could even look like it came directly from the correct address too. 

Yep, that’s right! You can manipulate your email to appear like it’s sent from (mostly) anywhere you want. Sometimes, you do this for entirely innocent reasons – like when setting up an automation platform and you want to use a business email address. But as we’ve been discussing today, it can also be done for nefarious reasons. This can be achieved because the core mail protocol, Simple Mail Transfer Protocol (SMTP) doesn’t contain any sort of authentication processes. 

To explain how this is achieved in an extremely brief manner, a comparison between email and its non-electronic, snail-based counterpart is necessary. Picture an email as being a physical letter comprised of three parts – an envelope, and a letter which has a header and the body. The envelope includes the real return address of the sender, along with information on who they want it sent to. 

Your office has an extremely efficient mailroom that opens all of your mail and throws the envelope away, so you really only get to see the letter itself. This means that you can’t always tell if the letterhead matches the envelope it was sent in, along with the return address. Sure, you could go and find the envelope in the bin every time, but most people just don’t do that.

If someone has a bit of technical know-how or access to a number of easily reached sites, they can have letters sent to you that come in their envelope but has your own business letterhead inside with instructions from your boss asking you to pay an urgent invoice. Ruh-roh. 

Many email services are starting to introduce their own security methods. Gmail is one provider of note, which aside from moving suspicious emails into the spam folder, also places in a ‘?’ icon in emails where it can’t verify that the sender on the envelope was actually authorised to send a letter with that specific “from” information. 

screenshot of gmail email with unverified sender

Now, it’s not a bunch of young detectives and their dog in a van, but there are a few ways of sniffing out the truth via frameworks that have been developed in order to authenticate messages. Again, as I mentioned earlier, it’s also a really good idea to have a basic understanding of the terms as a digital marketer to assist with email marketing and automation platforms. 

These methods are handled at a domain level and are set up by updating your DNS records. There are a number of different methods, but we’ll cover the three most commonly used ones. 

SPF (Sender Policy Framework)

A list which allows you to define which IP addresses are authorised to send mail for a specific domain. 

Continuing the physical letter analogy, this list lets the postman delivering your mail check and see if the return address on the envelope is on the list of valid places that your business has given them. 

DKIM (Domain Key Identified Mail) 

A method of digitally signing an email in order to verify the source and confirm that it has not been faked or alerted. This is achieved with a method called public-key cryptography, where a special TXT record is published to the domain. Every time an email is sent, the server attaches a signature to the header of the message which allows the recipient’s email server to confirm the exact source of the email. 

Back to our physical analogy, it’s a stamp of authority that is placed on the header of every letter that is sent out from your offices.

DMARC (Domain-Based Message Authentication, Reporting and Conformance) 

A domain-level security policy that utilises SPF and DKIM, allowing domain owners to outline their authentication practices and rules for what happens with mail that fails them. 

DMARC functions on an alignment basis, where it checks to see if the “from” domain on the email matches values defined in your SPF and DKIM records. If a message fails alignment, the DMARC record designates if a message should be “quarantined” into the spam folder or just rejected.

So in our mailroom terms, the letter recipients wouldn’t have to make decisions about what to do with letters they’re unsure about. Rather, you’d have an easily available chart for them to check what a real letter looks like and give instructions on if they should put it through the shredder or not. 

Take note, this is only a very surface-level overview of those three concepts. I’d strongly encourage you to discuss them further with your IT team to look into how they’re used for your business and ensure that any third party services you’re using (eg: marketing automation platforms) are properly set up to align to your email security and minimise the number of your emails being accidentally sorted as spam. 

With data breaches up by over 54% in 2019 alone, there’s never been a better time to review your email security to ensure that you’re properly protecting yourself and your customers from unauthorised parties using your domain name as a cover. Because they would have gotten away with it too if it wasn’t for you meddling kids (and your thorough email security)!

Learn more about our digital marketing and automation services.

Spooks, scams and suspicious senders

Alex Langridge
As a one of our Marketing Automation and Digital Marketing Specialists, Alex brings to Green Hat experience across both the B2B and B2C sectors, ranging from e-commerce to automotive and insurance. With a focus on how clients can enhance their customer experience through automation and taking a data-driven and insight-oriented approach to marketing, Alex relishes technical problem-solving to achieve his clients’ goals.