This week, we reported on TechCrunch how thousands of remote employees with health and workplace benefits through human resources giant TriNet received emails that looked like a near-perfect phishing attempt.
One recipient was so skeptical, they shared the email with TechCrunch so we could verify its authenticity. The message checked every suspicious box. In fact, when, we asked two independent security researchers to offer their assessments, each one thought it was a phishing email devised to steal usernames and passwords.
The fact that there was confusion to begin with shows that even gigantic companies like TriNet — a $3.7 billion corporation — are not doing enough to prevent phishing attacks. Had they proactively employed basic email security techniques, it would have been a lot easier to detect that the email was not in fact a phish, but a genuine company email.
But this problem isn’t unique to TriNet; it’s not even unique to big companies.
Last year, security firm Agari found only 14% of all Fortune 500 companies were using DMARC, a domain security feature that prevents email spoofing and actively enforces it. New data supplied by Agari to TechCrunch shows that figure has risen only one percentage point in the last year, bringing it to a meager 15%.
Phishing and impersonation are fundamentally human problems. The aim is to try to trick unsuspecting victims into turning over their usernames, email addresses and passwords to hackers who then log in and steal data or money. In some cases, scammers use an email impersonation scam to trick employees into thinking someone senior in the company needs certain sensitive files like banking information or employee tax documents.
So-called “social engineering” attacks are designed to deceive and make the victim do the hard work, but no matter how big or small your company, failing to take precautionary measures can be catastrophic. Startups are already in a crowded space, fighting for relevancy and funding, so it’s not surprising that security often isn’t a priority when founders are focused on launching, strategy and growth. But security experts and industry veterans agree that baking in security from the beginning is easier than tacking it on down the line. That gives the Fortune 500 some excuse — albeit not much — but it doesn’t let new and upcoming companies off the hook.
Good news: there are way to help mitigate these kinds of attacks.
Firstly, recognize that this is a problem that you need to face. It’s not good enough to take the “it won’t happen to us” mentality. If you have a business, even a small startup with employees, you are a target. One of your employees in finance may to see your bank accounts drained; all it takes is one convincing-enough email and a hacker is off to the races.
Embrace this reality: accept that this is a security risk, understand what kind of email-based threats you face and figure out a plan to tackle the issue proactively rather than having to scramble after the fact.
DMARC is a great defense for filtering out malicious and spoofed emails. This email security feature cryptographically verifies sender’s emails, and can mark messages as spam or reject them altogether if an email can’t be properly validated. But simply enabling DMARC — often on your email server settings — is not enough. You also have to configure it to ensure that flagged emails go to spam or are blocked at the server-level.
Most domain and email services provide DMARC for free. And the more companies that use it, the better email will be.
But recognize that DMARC is not a panacea, and some craft scammers can slip through the net. That’s why, lastly, education is so important. By making sure that information security is a core aspect of company culture, you’ll help ensure that employees have the requisite tools and skills to know what to do if a suspicious email comes in. And if someone may have made a mistake, employees should feel comfortable enough to let security staff know without embarrassment or reprisal. The sooner that someone realizes they’ve been duped, the better the response can be.
Also, and crucially: it doesn’t hurt to ask. If you get an email that looks like your chief executive or a board member demanding highly sensitive files or documents out of the blue, just ask. No one will blame you for wanting to ensure that an extremely sensitive request is a real one. That second act of verification can save you a lot of headaches.