Author: Alex Brotman, Co-chair, Data & Identity Protection Committee at M3AAWG, and Senior Engineer at Comcast
On August 6th, I participated in a panel discussion hosted by Infosecurity Magazine focused on technologies, strategies and tactics to fight phishing. The discussion, moderated by Dan Raywood, the publication’s Contributing Editor, and featuring Olesia Klevchuk, Senior Product Marketing Manager at Barracuda and James Gosnold, Security Practitioner, provided a comprehensive overview of the latest phishing-related threats and offered insight into how security professionals have adjusted their security approaches following the COVID-19 pandemic.
As Co-chair of M3AAWG’s Data & Identity Protection Committee, and Senior Engineer at Comcast, I’ve been fortunate to work alongside exceptional security professionals and help develop and implement safeguards for both senders and receivers. During this discussion, I shared some of these learnings and best practices – curated by M3AAWG – on preventing phishing attacks while also ensuring the deliverability of messages. As COVID-19 increases our reliance on online resources and messaging, it’s especially important that both senders and recipients implement protections that will help prevent abusive messaging.
Here’s a short preview:
As I mentioned in the clip. although the volume of spam is down, cybercriminals are increasingly using spear phishing to coerce specific individuals into fulfilling a certain action. These attacks not only threaten the privacy, security and finances of organizations and individuals alike, but they also present unique challenges in ensuring deliverability.
While today’s systems are extremely effective at filtering spam, no solution can prevent all spam from reaching inboxes. As recipients, we must be prepared to encounter, prevent and report phishing attacks. Several precautions that we can take to protect against phishing attacks include:
- Be prudent when it comes to sharing your email. Not everyone is a legitimate sender and cybercriminals can use your email address to target you.
- Trust your instincts and double check. Ensure that you have a relationship with the sender and look out for “urgent requests” and grammatical errors.
- Call the company to verify a request. Visit their website to learn more about their policies and confirm any request that seems suspicious through an alternative source.
- Be cautious when opening attachments or links. Attachments could be laden with viruses.
These precautions can be helpful in thwarting phishing attacks but may also hinder the deliverability of legitimate senders’ messages. For example, a recipient may opt-out from, or even report, legitimate messages due to suspicion that they may be spam. In order to ensure deliverability, senders must also implement measures to take ownership of their messages and assure recipients of their legitimacy, including:
- Implement confirmed opt-in or double opt-in, as well as opt-out controls for recipients. This will ensure recipients want to receive your messages and will help prevent your messages from being labeled as spam.
- Don’t try to outsmart mailbox placement; recipients may perceive this as malicious behavior.
- Use third level-domains to associate message ownership with the top-level domain and help track accountability.
- Take ownership of your messages and protect your reputation by implementing DMARC / DKIM / SPF.
These high-level takeaways scratch the surface of my presentation but provide foundation steps to ensure deliverability while working to prevent phishing. In discussion, Dan facilitated great insights, questions and responses from the audience on challenges they were facing in both preventing phishing attacks and ensuring deliverability. If you’d like to learn more on the latest strategies and tactics to fight phishing from myself, Olesia and James, you can view the webinar on-demand, in its entirety at Infosecurity Magazine.