FTC: Businesses Could Be Doing More To Protect Customers From Phishing, But Aren’t

Image courtesy of m01229

You probably know the danger signs of a phishing message when it arrives in your inbox: It impersonates a company that you don’t do business with, mentions a transaction that didn’t happen, or has blatant spelling or grammatical errors. The Federal Trade Commission, though, notes that businesses that contact consumers online could implement simple steps to keep phishing messages from us in the first place. They just don’t.

It’s pretty easy to forge a “from” address on an email message, which is why email providers and retailers, banks, and other companies that send critical emails have more sensitive tools to authenticate messages and clarify which domain name is really sending them.

The simplest tools to implement are called SPF and DKIM, which stand for Sender Policy Framework (SPF) and and DomainKeys Identified Mail (DKIM). These let email senders authenticate messages by letting email providers know which Internet Protocol (IP) address it sends messages from, and by authenticating the domain name in its return address.

The FTC has encouraged email senders to use these tools for the last decade and a half or so. However, the strictest protocol available, Domain Message Authentication Reporting & Conformance, or DMARC, was only used by about a third of businesses that the FTC looked at in a recent study [PDF].

DMARC allows senders to instruct email providers what to do with messages that haven’t been authenticated, which can include never delivering those messages to intended recipients, and reporting suspicious messages to the owner of the domain name.

When the FTC studied 500 email senders, it found that most businesses that use DMARC don’t bother to actually provide any instructions, so messages that aren’t authenticated are just delivered anyway.

“With DMARC, a business can protect its domains from being used by phishers and other scammers by instructing receiving domains to automatically reject unauthenticated messages that claim to be from the business’s domains,” the FTC concluded in its report on the domain research. “This powerful tool could be an effective means of combatting phishing scams.”

The good news is that most financial institutions studied had implemented DMARC when sending messages, but even for them, only 20% of senders instruct email servers to reject messages that haven’t been authenticated. Most messages just come on through, letting users’ spam filters deal with them.