“DMARC pass” doesn’t always mean it’s not a phish… users still need to pay attention!!
HTTPS secures the connection between the user’s computer and the website so that no one else can see the information exchanged between the two. DMARC verifies that the email is actually from the source that it claims to be from. Both increase security. However, they have similar shortcomings. So we wanted to discuss one of DMARC's shortcomings to ensure users don’t learn to “over trust” DMARC. We have discussed this before, see our post on What DMARC Can and Can’t Do, and Does DMARC Really Increase Email Security.
An authenticated message does not mean the sender is who they claim to be
Passing DMARC means that the email has been authenticated, which means the domain owner has authorized the message. However, a phishing email could pass DMARC if it uses a “from” domain controlled by the attacker. Anyone can buy a domain and set up SPF, DKIM, and DMARC to they can send authenticated emails. However, authentication is only related to that specific domain, not the business or individual the email claims to be from. An attacker can buy similar domains (known as cousin domains) and set up email authentication to fool victims with authenticated emails. Businesses can protect against this by buying cousin domains and using DMARC to block emails from those domains. However, it’s difficult to think of every potential cousin domain. Therefore users need to be aware of cousin domain so they aren't duped into clicking on an authenticated phish.
How to not fall for the bait
Due to the nature of DMARC (the fact that it authenticates a domain name, not a business), there is always going to be the possibility that a phishing attack gets delivered to inboxes. Here’s how to avoid them.
Before clicking any link, responding to, or taking any action
1. Verify that the “from” domain belongs to the business or individual that the message claims to be from.
- Check the domain’s spelling very carefully, a fake domain might differ by only one character.
- Make sure it’s the right domain for that business or individual. Have you received other, trusted emails from the same domain? Have you received an email from that business using a different domain? If you search for that business, does the domain come up at or near the top of the search result? (don’t search for the domain, search for the company or email from the company to verify its domain)
- Don’t let the "sender name" fool you. The name that shows up in next to the “from” address is usually the name of the sender. However, an attacker can change that to say anything they want. They might put the business’s real domain in the sender name, while the “from address is something different.
2. Consider whether you really need to click on a link in the email- the answer is likely “NO”. Even if you're fairly sure that the email is from the right source, clicking links in emails is an unnecessary risk. In almost every case, you can navigate to the linked website without clicking on the link in the email.
- If there is no way to get to the linked website without clicking (or copying) the link, you might want to consider if you really need to go to that website.
How does DMARC help?
At this point, you may be wondering why DMARC is even useful if users still need to be vigilant to avoid phish. By blocking spoofed emails, DMARC makes it possible for vigilant users to identify phishing emails that get through. Without email authentication, even the most vigilant user could be duped by a phishing scam because the attacker could use (spoof) the exact correct “from” address. DMARC makes it difficult (but not impossible) for attackers to phish domains because they have to hope the users don’t notice the differences. Without DMARC, there is no difference for users to notice.