Email security: A year in review
2017 was an eventful year in the world of email and cybersecurity. Large companies made headlines in 2017, falling victim to cyber attacks and data breaches that compromised millions of customer records. Email harassment and invasion of privacy tactics also rose to prominence in 2017.
Through it all, email has showcased its staying power and the ability to adapt to the ever-changing landscape of personal and business communications.
- Phishing for a breach
Phishing emails and malicious attachments are still the main causes of data breaches, as 91 percent of all cyberattacks originate from a phishing email. Thus, a large percentage of 2017’s cyber attacks were the result of phishing or spoofing techniques that use various methods designed to trick the recipient into giving up his or her personal information.
During May through July 2017, Equifax, one of the three main credit organizations in the United States, suffered a data breach that impacted as many as 143 million consumers in the US. Cyber criminals gained access to names, social security numbers, credit card numbers and other personal identifying information from the breach. The attack was traced to a simple software flaw that led to the vulnerability being exploited. To make matters worse, Equifax customer support referred those potentially impacted to a phishing knock-off site instead of their own information site about the breach.
Not to be outdone, Uber disclosed in November that hackers stole personal information from 57 million drivers and riders. The attack actually took place in 2016, but went undisclosed for more than a year and included a $100,000 ransom payment to the attackers. Hackers are leveraging the personal information stolen, including names and email addresses, to target and personalize phishing emails to attempt to gather login information or download malicious payloads.
Yahoo recently clarified in October 2017 that all 3 billion of its accounts were hacked in a 2013 cyber attack, tripling earlier estimates of the scope. Hackers were able to use a ‘spear phishing’ email to gain access to a Yahoo employee’s credentials to break into the company’s systems. Yahoo’s hack remains the largest data breach of the 21st century that we are aware of.
Despite the widespread cyber attacks that either occurred or were disclosed in 2018, there may be a silver lining. Email authentication like DMARC made strides, aiming to reel in email phishing methods that serve as the vehicle for many data breaches. In October, the Department of Homeland Security announced it is requiring federal agencies to implement DMARC on their sending domains within 90 days. Furthermore, ISPs that support DMARC has significantly grown over the past year, with 4.8 billion inboxes now supporting DMARC, representing 76 percent of the current global email accounts.
"Widespread adoption by the USG will be viewed by other governments and large businesses as a positive signal of the value of DMARC in protecting against BEC/EAC scams and other prevalent email-borne attacks," said Paul Midgen, 250ok Advisor and co-author of the original DMARC specification. "If they were sitting on the fence, the outcomes experienced by these organizations should help push those considering adoption towards getting started with a monitor-only policy."
- Privacy, please
Privacy is a right that humans feel strongly about, and their email inboxes are no different. An email address is your digital identity. It’s how you keep in touch and access content. The following events jeopardized the importance of email privacy and personal data in 2017.
List bombing or subscription bombing, a cyber criminal tactic that uses bots to create mailing list subscriptions request at rates over 1,000 per minute, shook the email industry in late 2016 and early 2017. This tactic presented a unique problem to email service providers, marketers and anti-spam vendors alike. List bombing allowed cyber criminals to create an email "distributed denial of service" style attack and harass individuals. Unique attacks like this create a sense of collaboration across ISPs, abuse desks, security vendors and ESPs to share ideas and tactics aimed at combating abusers to stay one step ahead.
Email encryption during transit has also risen in importance this past year, starting with email providers adopting and implementing Transport Layer Security. TLS encrypts an email in transit, making it more difficult for others to access what you are sending. According to Google, inbound email encryption into their networks at the end of November 2017 rose to 90 percent, compared to just 63 percent at the beginning of 2016. This is a sign that more senders are encrypting email in transit to protect their customer’s privacy. Google also announced in June of 2017 it would stop scanning inboxes of Gmail’s free user mailbox service for ad personalization.
- Laying down the law
Many countries and governing bodies around the globe took steps to update digital communication laws and governance this past year. Marketers, especially those in Europe, are gearing up for changes to the General Data Protection Regulation (GDPR) rules that go into effect in May 2018. This legislation applies to all EU businesses that handle personal data and increases the definition and accountability of clear, unambiguous consent.
Over in Canada, the Canadian government announced suspending the provision, known as the private right of action, apart of Canada’s Anti-Spam Legislation (CASL). The provision would have allowed consumers to sue any company that sent email and violated this law. July 1 marked the final rollout of CASL and the end of the transition period for implied consent. We also saw the first fine levied against a small business owner to the tune of $15k in 2017. Total fines issues from infringement of CASL since 2014 total more than $1.5MM.
In the US, the FTC is reviewing CAN-SPAM, the United States law that regulates commercial mail. Enacted in 2003, CAN-SPAM is in need of a review as the digital landscape has dramatically changed over the past 14 years. In June, the FTC opened a request for comment on "the efficiency, cost, benefits, and regulatory impacts of the Rule." Numerous email vendors, anti-spam groups, and advocates submitted comments to the FTC before the August deadline.
Email made headlines across the world for political reasons, cyber attacks on high profile business, and abuse of personal privacy in 2017. Multiple countries prepared for the digital marketing landscape of the future with new governance and legislation aimed at protecting subscribers and holding marketers accountable. To all the pundits out there, email is not dead, it is alive and well and I look forward to another exciting year in email come 2018!
Anthony Chiulli embraces the role of trusted advisor with digital marketers to achieve optimal delivery and engagement for their marketing programs, with a focus on Deliverability. Anthony is a senior member of Salesforce Deliverability Services team and a board member of the eec Member Advisory Committee.