Protecting Businesses and Consumers from Email Scams
William “Curt” Barker, Guest Researcher, NIST National Cybersecurity Center of Excellence (NCCoE)
Like it or not, email is a central component of modern day life. The average person spends 6.3 hours a day checking their messages, and email continues to be the most popular means of communication, ahead of instant messaging, texting and social media.
Scam artists have taken note and are exploiting the relative lack of security around email communications to gain access to your accounts and ultimately steal your money or even your identity. While we are all familiar with the “international” email scam and no longer believe that a stranded diplomat will share millions of dollars with us if we will pay the fees to have it transferred, there are many other scams that seem legitimate enough to fool us, with disastrous consequences.
The National Cybersecurity Center of Excellence (NCCoE) is a collaborative hub where industry organizations, government agencies and academic institutions work together to address businesses’ most pressing cybersecurity issues. Founded in 2012 as part of the National Institute of Standards and Technology (NIST), the NCCoE is dedicated to improving cybersecurity resilience in important key industries. Currently, we’re working on a new project to improve email security — DNS-Based Secured Email — and protect companies and consumers against “phishing” and “man-in-the-middle” attacks.
Seeing as it’s National Cybersecurity Awareness Month, now is a good time to familiarize yourself with the most popular types of email-based attacks and learn how to better protect yourself from becoming a victim.
A phishing email is one that appears to come from a legitimate source and “catches” unsuspecting victims when they respond thinking it’s an official communication. For example, you may have an account with a large national bank. You receive email alerts from them on a regular basis for a variety of reasons, such as when your account balance falls below a certain amount or your online statements are ready for viewing. One day you receive an email that asks you to visit their website to update your profile. It seems serious as the subject line says “Your Online Banking is Blocked!” In a hurry, you click on the link, but it doesn’t actually lead to the bank’s website. Instead, the link sends you to a fake website that looks just like the real thing. After entering your customer ID and password to update your profile information, you close the page thinking you’ve just protected yourself from fraud. In fact, you’ve just given away the keys to your account and scammers are now transferring money from it and have perhaps even downloaded malicious software onto your computer.
While there are ways you might detect a phishing email, e.g. incorrect grammar or spelling, suspicious links, or threatening language, man-in-the-middle attacks are much more damaging and much harder to detect. In this type of attack, the man in the middle secretly intercepts or alters an email communication between two unsuspecting parties. For example, the attacker might change the transaction instructions sent to you by your lender on your mortgage loan closing, sending your hard-earned funds to the attacker’s bank account instead. By the time you discover your funds never made it to your lender, your life savings are now in the hands of criminals. One of the ways you can prevent this type of attack is to change your email settings to request a digital certificate, which is an electronic document that certifies the identity of the email sender, for sensitive emails.
Who Can You Trust?
Email service providers focus primarily on delivering emails, not verifying their origins or contents. While no one wants outsiders reading their email, one can make the argument that, with email scams rising, it’s not unreasonable for consumers to expect email service providers to implement security protocols to verify that emails are actually coming from who they say they are. I need to know that if an email says it’s coming from my bank, it’s not really coming from a shady crime ring trying to steal my money or identity, or both.
The cost and speed of delivery have been some of the driving forces behind the widespread use of email, for both business and personal reasons. Securing email transactions has not been a top priority, which is one reason why email attacks have been on the rise.
Email service providers can take steps to reduce the prevalence of email scams by implementing mechanisms to verify the origin of an email. However, these mechanisms are complicated to implement, require long lead times, and must integrate into existing systems, further complicating matters. As a result, many providers have been slow to adopt these protections.
The NCCoE has taken on this challenge with its DNS-Based Secured Email project. We’re working with industry to simplify the implementation of important security controls and have launched an initiative to help both public and private organizations improve email security. Most server-based email security mechanisms are vulnerable to intrusions or man-in-the-middle attacks when there isn’t server-to-server verification, i.e., when there’s no automated process whereby your email server checks to make sure that it’s sending your email to another legitimate email server. Without appropriate combination protections in place, these attacks can result in unauthorized parties reading or modifying email. This project aims to use currently available technology to close the gaps in email security through the service provider, ultimately reducing the potential for email scams.
NCCoE’s DNS-Based Secured Email Project
Our goal with this project is to demonstrate a security platform that provides trustworthy email exchanges and tools that help organizations encrypt emails between users, allow individual email users to digitally sign and/or encrypt email messages, and allow email users to identify valid email senders.
If you’re interested, check our project page frequently for updates or sign up for our email alerts. The NCCoE relies on collaboration with industry, government and academia, so if you would like to be involved in this project, please email us and ask to join our Community of Interest.
For those of you who are not computer scientists or a cybersecurity researchers, and I’m guessing that’s the majority of the people reading this article, I hope you now have a better understanding of the ways that cyber criminals can come after your emails and what you can do to protect yourself.
Together, we can take a bite out of cyber crime.
This post originally appeared on Taking Measure, the official blog of the National Institute of Standards and Technology (NIST) on October 21, 2016.
To make sure you never miss our blog posts or other news from NIST, sign up for our email alerts.
About the Author
Curt Barker is a guest researcher at NIST, specializing in cybersecurity. Previously Curt was Associate Director and Chief Cybersecurity Advisor for NIST‘s Information Technology Laboratory, where he was directly responsible for planning, directing, and implementing the NIST cybersecurity program. Curt loves to travel and has achieved permanent status as a member of the United Million Miler club.