Businesses Can Help Stop Phishing and Protect Their Brands Using Email Authentication

Citation
Federal Trade Commission, Businesses Can Help Stop Phishing and Protect Their Brands Using Email Authentication (Mar. 2017) (full-text).

Overview
This report indicates Federal Trade Commission's Office of Technology Research and Investigation (OTech) that most major online businesses are using proper email authentication technology to prevent phishing emails, but few of these businesses are taking full advantage of the latest technologies to combat phishing.

Phishing is a type of online scam that targets consumers by sending them an e-mail that appears to be from a well-known source such as an internet service provider, a bank, or a mortgage company. It asks the consumer to provide personal identifying information, and then the scammer uses the information to open new accounts or invade the consumer's existing accounts.

Specifically, the OTech study found that 86% of major online businesses it studied are using Sender Policy Framework (SPF), an email authentication technology that enables Internet Service Providers to determine whether messages that claim to be from the businesses' email addresses actually come from the businesses. Fewer than 10% of the businesses, however, have implemented a supplemental technology known as Domain Message Authentication Reporting & Conformance (DMARC) in a manner which would allow the businesses to receive intelligence on potential spoofing attempts and to instruct ISPs to automatically reject any unauthenticated messages that claimed to be from the businesses' email addresses. By using DMARC to instruct receiving ISPs to reject unauthenticated messages, online businesses could further combat phishing by keeping these scam emails from showing up in consumers' inboxes.