Email authentication
Page Article
Email authentication technologies significantly reduce the risk of scammers sending phishing emails that appear to originate from your company. These technologies enable a receiving server to confirm the legitimacy of an email purportedly sent by your company, effectively blocking or quarantining emails from imposters and alerting you about the attempt.
UNDERSTANDING EMAIL AUTHENTICATION
When you set up your company's business email with your domain name (for example, yourbusiness.com and email like name@yourbusiness.com), without email authentication, scammers can exploit your domain to dispatch emails that mimic your business's communications. If your business email utilizes your company's domain name, ensure your email provider supports these three critical email authentication tools:
- Sender Policy Framework (SPF) clarifies which servers are authorized to send emails under your business’s domain name, allowing the receiving server to verify and accept legitimate emails while flagging suspicious ones.
- DomainKeys Identified Mail (DKIM) attaches a digital signature to outgoing emails, enabling servers to confirm that an email from your domain was indeed dispatched from your organization’s servers and remains unaltered during transit.
- Domain-based Message Authentication, Reporting & Conformance (DMARC) complements SPF and DKIM by ensuring the sender's address matches the “from” address seen by the recipient. DMARC also allows you to specify actions for suspicious emails and receive notifications of such events.
Configuring these tools requires expertise to avoid mistakenly blocking legitimate emails. Ensure your email hosting provider is capable of setting them up properly. If not, consider switching providers.
THE DANGER OF SPOOFED EMAILS TO CUSTOMER RELATIONS
When scammers spoof your company's email to send fraudulent messages to your customers, it can lead to several harmful scenarios:
- Loss of Trust: Customers might lose trust in your brand, fearing that their personal information is not secure with your business.
- Financial Fraud: Scammers might trick customers into sending money or revealing sensitive financial information.
- Identity Theft: Customers could be duped into providing personal details, leading to identity theft.
- Malware Infection: Links or attachments in the spoofed emails could infect customers' devices with malware, leading to data theft or loss.
- Damage to Reputation: News of the spoofing can spread, damaging your business reputation and potentially leading to a loss of current and future clients.
ACTION STEPS IF YOUR EMAIL IS SPOOFED
If you discover that your company’s email has been spoofed, immediately:
- Report the Scam: Contact local law enforcement, the FBI’s Internet Crime Complaint Center at IC3.gov, and the FTC at FTC.gov/Complaint. Forward phishing emails to spam@uce.gov and reportphishing@apwg.org.
- Notify Your Customers: Promptly inform your customers through mail, email, or social media, avoiding hyperlinks in emails to prevent confusion with phishing scams.
- Alert Your Staff: Use this incident to refine your security practices and educate your staff on recognizing and responding to cyber threats.