A phisher’s paradise

Email is one of the earliest services created on the internet and, arguably, remains the most important

Email is one of the earliest services created on the internet and, arguably, remains the most important.

Almost every business, whether dealing with customers or suppliers, relies to some extent on email, despite the rise of messaging services through social media. But it is this very ubiquity of email that is so attractive to the criminal fraternity.

Most attacks on the internet are initiated via the medium of email, either by sending spoofed emails pretending to come from a trusted brand or organisation with links to a malicious website that harvests credentials, or by simply sending an email with a malware attachment. These tactics are known collectively as phishing.

Because email was one of the very first services to exist on the internet, little or no thought was given to security. It was not part of the design process and, as a result, all attempts to implement secure broad spectrum email services have, to some extent, resulted in failure, because most service providers have to fall back to the lowest common security denominator – unencrypted and unverified SMTP email. This plays right into the phishers’ hands.

With the advent of more than 1,400 new generic top-level domains (gTLDs) in the next year or two, the problem of spoofed emails can only increase. It will become a matter of (even more) trivia for criminals to buy a domain that is very close to, or even identical to, a known brand and spoof emails from that organisation. This new internet will challenge our ideas of trust in the domain name system.

A number of the new gTLDs have reasonably official-sounding words, such as .loans, .credit, .creditcard, .mortgage, .club, .company and even .email. And all these are available for anyone to buy and can make an email address appear reasonably legitimate.

With just a quick search online, I was able to find several well-known retail banks that had not yet purchased <wellknownbank>.email at the time of writing.

It is a problem that touches a number of areas within an organisation. For the marketing and branding teams, these emails can become incredibly damaging for a company’s hard-earned brand and reputation. IT departments will also be required to monitor, identify and attempt to stop any prolonged campaigns. Severe phishing attacks can quickly escalate to become a boardroom issue, too, if the worst happens.

All these different departments and stakeholders needs to start thinking about a gTLD strategy to cope with the approaching deluge. Because you can be sure the criminals are already developing – and executing – ways of tricking businesses and consumers through phishing with new domains.

Paul Vlissidis is director of trust at NCC Group

Read more on Privacy and data protection