Pubs and restaurants failing on cyber fraud protection

Only one of the UK’s 50 most popular pub and restaurant chains has bothered to implement the strictest level of Dmarc email protection to stop cyber criminals spoofing their identity in phishing attacks, and 70% have no published Dmarc record at all, leaving their customers wide open to impersonation attacks, according to security firm Proofpoint.

With pubs and restaurants now reopening as lockdown eases across the UK, Proofpoint said consumers faced a potential explosion in cyber criminal activity as venues have been asked – for the time being – to collect customer contact details (which may include email addresses) for contact-tracing purposes.

At the same time, many consumers will be eagerly awaiting communication from their favourite brands for special deals and reopening times, giving cyber criminals an opportunity to prey both on their anticipation of a long-awaited meal out, and their concern that they may have been exposed to Covid-19.

“We have seen during the pandemic that cyber criminals don’t hesitate to prey on society’s anxiety around Covid-19 to target individuals and businesses,” said Adenike Cosgrove, cyber security strategist, international at Proofpoint. “In times of fear and uncertainty, individuals are much more susceptible to these kinds of attack, particularly if a fraudulent email looks like it has come from a genuine domain.

“We recommend that people take steps to make sure that they don’t click on anything suspicious, even if it appears to come from an official source, and instead take steps to contact establishments to make sure for themselves if they aren’t sure.”

Dmarc, which stands for Domain-based Message Authentication, Reporting and Conformance, is an email protocol standard designed to verify that the purported sender’s domain is not being spoofed. Cyber criminals will regularly use domain spoofing to pose as a legitimate organisation by sending an email from an apparently genuine address – this makes it easier for recipients to be tricked into clicking on a malicious link, downloading a malicious file, or sharing personal data.

Dmarc addresses this by building on two different protocols, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) and adding linkage to the author domain with the :From: header, along with policies for handling authentication failures at the receiving end. It also improves receiver-to-sender reporting for anti-spam purposes.

An effective Dmarc policy lets the sender domain specify whether its email is using SPF, DKIM, or both, so that policies can then be set to divert email into the recipient’s spam folder, or reject it outright, if it fails to pass authentication. Recipients can also report an email that gets past this back to the sender.

It has been around for some time and is well in use around the world, including, in the UK, at government agencies such as HM Revenue & Customs, but many organisations that could benefit from implementing it do not, including many large banks.

In the absence of appropriate protection from pub and restaurant chains, potential customers should be wary of any unsolicited communication from a chain that asks for personal information. They should avoid clicking any links in emails purporting to be from a pub or restaurant and instead check up on revised opening times or special offers by visiting the venue’s website direct from within their browser.