Email phishing is at its highest level in three years, and one of the latest lines of attack capitalizes on the strict rules of GDPR, targeting executives and public-facing emails at businesses. Valimail’s Seth Blank examines how to protect your organization.
While much has changed over the past year, some things have stayed the same. New email security threats now commingle with the old. Case in point: the fake GDPR phishing campaign discovered late last summer. Phishers targeted organizations across multiple verticals with a fake compliance reminder about the European Union’s GDPR, with the campaign using the GDPR’s strict rules and fear of noncompliance to lure business executives into turning over their email login credentials.
GDPR has been a perfect storm for the compliance and security fields — and the perfect opportunity for hackers. The EU’s implementation of the GDPR in May 2018 strengthened privacy rights and underscored the need for consent when data is shared. The EU aimed to protect the “personal data” of its citizens and residents with the GDPR. It is a vast understatement to say that there is a lot to unpack within the law. The piece hackers find the most enticing, though, is email. Under the law, email addresses and content are considered “personally identifiable information” (PII). Given email’s pervasive reach, safeguarding it under the new GDPR quickly became a global issue — not just an EU one. Phishing scams popped up almost right away. Organizations became all too aware that their email practices could — even unintentionally — lead to massive fines.
The Complexity of GDPR
Now almost three years into the law, it’s safe to say that many on the compliance side view the GDPR as ambiguous at best, and (more often, if they’re honest) a complete mess. The rub lies at the intersection of the law and technology — not the intent — because digital and privacy don’t overlap cleanly. Technology moves at the speed of light, but government and law are designed to be slow and deliberative. As a result, it’s nearly impossible to segment a law like the GDPR in a way that scales across different geographies and different types and sizes of companies and further advances in technology. Aspirationally, the notion of consent in today’s digital world is essential, and protecting consumers’ private information is paramount. Practically and technologically speaking, however, the devil is in the details, and these ideas are much trickier than the GDPR set them out to be.
What does the GDPR even mean for compliance and security? The definitions are seemingly fluid. While privacy professionals participated in the creation of the law, communicating the conditions and requirements of GDPR compliance has proven more challenging in practice. For example, a clear definition is lacking on what “anonymous” means. Under the GDPR, anonymous data is not treated as personal data. But it is complicated to prove that data is truly anonymous. For instance, age alone is not a unique identifier, but the combination of demographics like age, gender or address could allow for identification. Another problem is that the GDPR’s many protections also let criminals cover their tracks, with few exceptions made for security teams’ needs.
The law’s level of specificity needs to change; things need to be defined more clearly. There’s too much uncertainty at the moment. So compliance professionals are understandably confused — and cautious — about the GDPR’s impact. With no end to the confusion in sight, compliance professionals are left questioning where the lines are and which practices and technologies are legitimate. Organizations are justifiably nervous and fearful of finding themselves on the wrong side of the GDPR.
Control the Controllable
Unfortunately, there is no silver bullet for GDPR compliance. But compliance professionals can and should control what’s controllable on their end. To manage and protect PII appropriately, organizations can start by looking at the services that send email on their behalf and ensuring that data processing agreements (DPAs) — a requirement of the GDPR — are in place for all of them. They can also employ a solution that locks down corporate-owned domains from unauthorized use. This is where DMARC (domain-based message authentication, reporting and conformance) shines.
DMARC is an email authentication tool and reporting protocol that protects an organization’s domains, brands and employees. The Global Cyber Alliance (GCA) touts it as the first and only widely deployed email security technology that helps to protect both customers and domain owners. According to GCA research, organizations that deploy DMARC on a single domain could realize up to a 35-fold return on their investment.
DMARC also provides critical insights that help to authenticate the source of the email. First, DMARC gives organizations visibility into who is sending email from their company domains. As a compliance professional, shouldn’t you know which companies and cloud services can send email on your company’s behalf?
Equally important, DMARC’s visibility provides data that can be used to manage and control their DPAs to stay GDPR-compliant. With DMARC, a company can enforce a rule that only those services that have signed DPAs can send email from the company’s domain.
Connecting the Puzzle Pieces
It’s important to note that DMARC only solves the issue of exact-domain impersonation (also known as domain spoofing) and, as a result, is just one piece of the GDPR compliance puzzle that organizations should be piecing together. But it sure is an important one. After all, phishing attacks are usually the weapon of choice for cybercriminals. Phishing data illustrates the scope of the problem:
- 91 percent of all cyberattacks begin with a phishing email to an unexpected victim.
- 68 percent of the phishing emails Gmail sees on any given day are wholly new and have never been seen before, according to a presentation from Google at Black Hat USA.
Further, the quick and targeted nature of email phishing illustrates how fast hackers move and change. Two other striking details emerge from that Google Black Hat USA presentation:
- The average boutique phishing campaign lasts only seven minutes.
- The average bulk phishing campaign lasts only 13 hours, equating to about 170 emails.
Cybercriminals always look for the easiest way in. If DMARC is in place and enforced for a particular domain, attackers are forced to either use other more complicated and time-consuming impersonation techniques or pick a different target. Research has shown that companies without DMARC have almost four times the volume of malicious email sent in their name.
Additional steps can provide even more protection. For example, implementing multi-factor authentication (MFA) is one of the most effective ways to lock down account access and protect your organization against account takeover attacks. Even if a phishing attack is successful, MFA can prevent attackers from using the stolen credentials to access protected systems. Is MFA bulletproof? No. But MFA combined with DMARC and other protections can substantially boost an organization’s security and its GDPR compliance.
The importance of DMARC as a GDPR puzzle piece is illustrated in the magnitude of benefits it offers organizations. Not only do compliance professionals get a catalog of services that help to ensure GDPR compliance, they also prevent their domains from sending fake GDPR notices to executives, employees and consumers.
Long Road Ahead
Compliance professionals have a long road ahead with GDPR. The law will continue to evolve over the next decade as litigation unfolds. Hackers will also continue to exploit that uncertainty, almost certainly ensuring more GDPR-themed phishing campaigns to come.
There is good news: Compliance professionals looking to cover a significant portion of the cyber risk in their roles — and protect their organizations from fear-fueled campaigns — have proven, readily available solutions available, including DMARC and MFA. Together, they can go a long way toward reducing the uncertainty around GDPR and the risk of noncompliance.