You may never hear or see the word DMARC in your email, but it’s going to have a major impact in keeping phishing scams out of your inbox.
Phishing has been around since before many of us had even begun using the Internet — way back in 1995 when some AOL users were asked to verify their billing information by unscrupulous scammers. Seventeen years later phishing is still alive and kicking, and it’s been at the core of some of the biggest corporate network breaches in the past several years — including the one that targeted our own Treasury and Finance systems.
In case you’re still in the dark about phishing, here’s the short version of how it works. Scammers generally pose to be something they’re not — a representative from a bank or other company that might have access to your billing information, or even a member of the opposite sex looking for a “date.” They’ll send out an initial phishing mail in an attempt to get you to start a conversation so they they can pass you along to a more skilled phisher who can reel you in once you’re hooked. Sometimes they’ll jump right in with a fake billing form or a link to a bogus password reset page. Once they’ve got your details, you’re in big trouble. Banks accounts can be cleaned out, passwords can be reset on social networking and email accounts, and they can pose as you in an attempt to ensnare your contacts.
More than a year ago, some of the web’s heavy hitters got together to form a unified front against phishing scams: Google, Microsoft, Yahoo, AOL, Facebook, LinkedIn, and PayPal are all on board. Now they’re ready to launch DMARC.org, a new trust and verification system that they hope will help improve email security around the globe.
DMARC — which stands for Domain-based Message Authentication, Reporting & Conformance — was created to give email providers a standardized method of digitally signing outgoing mail as well as a way to verify the authenticity of incoming mail using those signatures. Mail coming from PayPal, for example, would have to be signed by PayPal’s own servers, or else the DMARC-enabled server at the other end would consider it to be fraudulent and simply discard it.
In theory, DMARC could make it virtually impossible to spoof messages from anyone who’s equipped their servers to utilize the new standard once it’s finalized. Once that happens, it shouldn’t take long before leading websites, financial institutions, and other connected businesses line up to join the fight against phishing and email fraud on a global scale.
If you think you’ve stumbled across a phishing scam in your email inbox, make sure you report it. Not sure your scam-spotting abilities are up to par? There’s no time like the present to learn how to tell a phishing attempt apart from a legitimate email.
[Source: DMARC and New York Times]
(image credit: epoxydude/Getty Images)