Unfortunately, it takes some industries longer to adjust to the online security climate than others. Email is a primary attack vector, especially after COVID-19 lockdowns and the increase in remote works. Because it’s a primary vector, it’s more important than ever for industries to use email security best practices, but some still have outdated and severely lacking security compared to others.
Financial institutions know that they are a target for hackers, and many big banks implement high-end security on email systems. Credit unions, however, are smaller institutions and usually do not have the expertise to implement the right cybersecurity on email systems without the help of consultants and a managed service provider (MSP). The lack of email security makes credit unions a target for hackers who aim to get access to banking systems and financial data.
Email security works to protect both internal employees and the financial institution’s customers. In many attacks, a customer receives a phishing email made to look like the official financial institution. A credit union that does not have cybersecurity set up on their email service could be leaving customers vulnerable to spoofed email messages.
In a spoofed message, the sender will look like a message from the official bank. Without email security, an attacker can send a message to a targeted user with a sender address containing the official bank domain. Sophisticated attackers use email servers that don’t have any spam flags on them yet, so in some cases the email will pass through to the victim’s inbox. Recipients could also have an email provider with poor spam detection, which means that they will see the malicious message.
In many attacks against banking customers, attackers send as many messages as possible. If the customer has good email filters, the malicious message will not reach the user’s inbox. Attackers know, however, that many users have mail services that do not use sophisticated email security and messages will reach some people. With only a few hundred successful phishing attempts, an attacker would have access to potentially thousands of dollars.
To combat phishing, credit unions must perform basic cybersecurity. Domain-based Message Authentication, Reporting & Conformance (DMARC) is the standard in email cybersecurity. Both the recipient email system and the domain owner (the credit union) must implement DMARC.
There are two components in DMARC: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). SPF is the component that provides the IP addresses authorized to send email on behalf of the domain. The SPF entry is located on the domain owner’s nameserver as a DNS record. It’s used to stop spoofing. When email messages are sent with an unauthorized IP address, it’s flagged with a “failed” DMARC status and does not reach the intended recipient. Of course, it’s up to the recipient’s email service to read the status and drop the message or quarantine it.
DKIM is a signature system that ensures attackers did not tamper with the message. An encrypted signature is sent within the headers of the message using the recipient’s public key located as a DNS entry at the host. The recipient’s mail server can then verify the recipient message to determine if the signature is the same by encrypting the same message and reviewing the resulting value. The resulting value should be the same if no content within the message was tampered with.
Note that this implementation doesn’t guarantee no user will ever receive a spoofed or malicious message. The recipient’s email service is also responsible for spam filtering messages that do not pass DMARC rules, but this starts the process of protecting financial customers from common attacks.
A common misconception is that small businesses are not a target, but this way of thinking is a myth. Credit Unions are small financial institutions that can be targets for attacks, because they do not often have sophisticated cybersecurity. Because phishing is often used in attacks, implementing DMARC rules will reduce the risk for the organization.
Phishing is an inexpensive and effective attack vector for cybercriminals, so email security should be a priority for all organizations. DMARC not only protects internal employees from being a victim of phishing, but it also protects users. In a financial setting, the best cybersecurity protects users from losing money and employees from divulging their credentials. With DMARC, both these risks are greatly reduced, and attackers can no longer use phishing as an effective threat.
SpamTitan Email Protection provides protection against phishing attacks and malicious email threats. Get setup and block malicious emails within 1 hour. Start 14-day free trail today.
Sign-up for email updates...