Protecting Inboxes is a Civic Duty

Protecting Inboxes is a Civic Duty

Since the 2016 elections there has been a critical focus on the mechanisms we use to engage with the political process, discuss issues, read news, and ultimately, engage in the constitutionally enshrined activity of voting. Although email is tangential to the voting process, it is nonetheless a critical component of our everyday lives, both personal and professional, and often the first salvo in a cyber attack. Phishing is of course a social engineered attack via email, however the ramifications of a successful phishing attack can be far reaching and infinitely devastating. David Ingram put it best in a recent article focused on phishing attacks against Burisma and Democratic Presidential Candidates: “Cracking computer systems is hard. Cracking people? Not as hard.” Presidential candidates have been warned about not only financial scams but the attempts of state sponsored hackers seeking to derail the 2020 elections.

In 2016 we saw how 29 emails managed to interfere with our elections. Phishing remains the primary vector leading to large scale data beaches and other forms of malicious hacking. Last year we took a look at how presidential candidates were using email as part of their campaigns. The field of candidates was much larger then so we had numerous examples and flavors of emails to examine. From that research we determined almost 50% of campaigns either lacked a Domain Messaging Authentication Reporting and Conformance (DMARC) record or failed a DMARC check of their emails.

As a reminder, DMARC is a policy that senders can publish in Domain Name System (DNS) that informs receiving domains, such as Gmail and others, what to do with their messages should they fail other email authentication checks. The policy is prescriptive and can instruct these domains to not deliver fraudulent messages that impersonate legitimate senders. This is an incredibly powerful tool that could thwart the efforts of back actors that rely on spoofing as part of their attacks.

The lack of focus on DMARC and sending domain/sending address security isn’t isolated to just political senders. Quite the contrary, the private sector hasn’t actively embraced DMARC at enforcement—the vast majority of the sending world either hasn’t published a DMARC record or has done so not at enforcement. This lack of adoption further illustrates the importance of platforms such as Twilio SendGrid investing heavily in our compliance and anti-abuse work especially during such a critical time in America.

A Holistic Approach

With the 2020 elections underway, and email under the microscope because of the role it played in 2016, taking a brief look back at how Twilio SendGrid prevents abusive mails from leaving our system seems in order.

During the fourth quarter of 2019 Twilio SendGrid maintained a 99.99% Inbox Protection Rate while setting new volume records during the holidays. The Inbox Protection Rate is a measure of the non-phish email processed by Twilio SendGrid on a quarterly basis.

Self-serve SaaS platforms of scale, regardless of their function or market, all face the prospect of weaponization by malicious actors. The larger the scale the more challenging it becomes to identify and stop bad actors for using the tools that legitimate users rely on as part of their businesses. We can’t stress enough how important it is to address compliance concerns with scalable solutions that are able to adapt at the speed of constantly morphing threats. Second only to actually stopping the threats is measuring and benchmarking the efficacy of these solutions in hopes of perpetually improving upon them and creating transparency and awareness in the marketplace.

We take a 360 degree view of traffic and senders to understand how new accounts sign up and behave. When necessary we apply throttle and rate limits until such time that our systems determine the sending patterns are legitimate. Machine learning (ML) processes, in near real-time, scan content for abuse vectors that are indicative of phishing. Let’s remember, spam is subjective: one person’s spam is another person’s ham. However, phishing is objectively horrendous and has no business on our platform thus we actively train our algorithms to seek it out and prevent it from being sent. Buttressed against a behavioral framework and purpose built ML are humans capable of reviewing the machine results, investigating patterns, keeping tabs on repeat offenders, introducing new friction where appropriate and deploying countermeasures because let’s face it: bad actors evolve their attack vectors with a frightening speed. Not only do they evolve their attacks and spend time cautiously probing platforms for gaps in their defenses, they often switch platforms, or apply distribution tactics to take advantage of as many platforms as possible to make it more difficult to pinpoint the source of an attack.

Beyond Civics

As foreign entities are doubling down on phishing emails as a way to interfere with our current election system, it's critically important to maintain a phish-free mail flow to prevent bad actors from taking advantage of the election “noise” to barrage innocent people with socially engineered attacks. This is the only way we can safely scale our business and protect our customers. Thus our focus on compliance is not only a preventative against the worst tendencies of bad actors, but part of a plan of business continuity that ensures our customers’ business communications will be unfettered by the attempts of bad actors to abuse their brands and our customers’ customers.

What you can do to make a difference

The path to insulating our customers’ customers from phishing is clear: we must always keep compliance a priority as we scale our platform. Likewise, we must advocate and provide our customers with tools to make publishing DMARC at enforcement simpler because it is a massively potent suit of armor that will protect their brand and their customers from spoofing and malicious attacks. And we must continue working with organizations such as the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) and other like minded organizations who bring together public, private, law enforcement to the same table to fight a common foe. But there are definite things that you can do to ensure you don’t fall prey to a phishing attack including:

• Deploy Sender Policy Framework (SPF) on your sending domains to associate permitted IPs with a specific outbound sending domain.
• Setup and publish a Domain Keys Identified Mail (DKIM) record for your sending domains to ensure the integrity of your email by leveraging public/private key pairs.
• Make sure your mail servers are taking advantage of STARTTLS to ensure that messages in flight are encrypted.
• Align your email authentication records to create continuity in how you send email
• Limit who can send email on your behalf—messaging sprawl is common in large organizations that have multiple departments who will leverage email for marketing purposes in one case, transactional in another.
• Publish a Domain-based Messaging Authentication Reporting and Conformance (DMARC) record at enforcement that will instruct receiving domains to reject messages that fail either an SPF or DKIM check, or both.
• Use multi-factor authentication on all of your internet accounts (where available) and especially on your email accounts, both personal and business oriented. Multi-factor authentication has been proven to be 99.9% effective in stopping account takeovers. Harkening back to David Ingram’s advice, cracking systems are hard, cracking people isn’t, thus requiring multiple forms of authentication to access systems is like backing up your own curiosity and ensuring it doesn’t get the better of you.
• If it sounds too good to be true, or out slightly out of bound, don’t be afraid to confirm using other channels. That’s right, if you get an email that sounds even the least bit suspicious from someone you know, or is asking you to do something that tingles your spidey sense, don’t hesitate to pick up the phone. The fact of the matter is that the sender’s account could be compromised thus using an alternate method to contact them is a way to ensure that confirmation comes from the actual account holder and not a bad actor lurking inside of it.

Len Shneyder is a 15+ year email and digital messaging veteran and the VP of Industry Relations at Twilio SendGrid. He can be reached at lshneyder [at] twilio.com.