Oklahoma state auditor’s office has become the target of a phishing attack. We’ve been warning that state governments need to start using email authentication; this is exactly why!
According to this article, there’s an email circulating claiming to be from the Oklahoma state auditors office (from someone named Kevin Anderson) that encourages recipients to click a link or open an attachment to find out how to receive a deposit from the agency. The Agency states that they never have and never will send deposits in this manner. The article doesn’t give too much detail about the email. We don't know which domain the attacker used to send the emails. However, the Oklahoma State Auditor and Inspector’s Office uses the subdomain sai.ok.gov, which has a valid SPF record and is using DMARC:
They’re using DMARC, great! So, why did the phishing email get through to recipients? Since we didn’t see the entire original email, it’s impossible to say for sure. There are a few possibilities:1. The spoofed email was no blocked because they are not on a strict DMARC policy yet. Since they are only in monitoring mode, they can still be spoofed. This subdomain has p=none; which means that they receive DMARC reports, but no action is taken to prevent unauthenticated emails from getting to inboxes. In this scenario, the phishing email would go to spam if sai.ok.gov were on p=quarantine, and it wouldn’t be delivered at all if it were on p=reject. If this is the case, we’d like to talk to whoever monitors the inbox for firstname.lastname@example.org. We can help move domains to Reject more quickly.2. It’s also possible that the attacker used a different domain and only made it look like it came from the State Auditor’s Office. This can be done using cousin domains or by changing the display name. If this is the case, DMARC could not have stopped the email, and the best option available currently is to educate people on how to spot a phishing attack. To learn more about DMARC, see our post, What DMARC Can & Can’t do for Domains. We have some tips for this in our post about tax-related services providers and DMARC.
Fraudmarc can help with DMARC Implementation
No matter what the details were for this specific case, we can help prevent future spoofed emails for all of your domains!There are so many examples of email phishing in the news recently, we can’t keep up with them all. While DMARC can't stop every type of phishing email, it is extremely useful in blocking spoofed email, which is frequently the most difficult to distinguish from legitimate emails.Fraudmarc offers a variety of plans and tools to help every domain achieve a DMARC Reject policy. Fraudmarc’s tools help with managing and monitoring as many authorized senders and DKIM selectors as required for your domain. Fraudmarc uses SPF Compression℠, so the number of DNS lookups needed to authenticate all of your authorized senders is minimized. Also, Fraudmarc’s DMARC reports are always free, so you will have the tools and information you need to configure your policies accurately.Note to the Oklahoma webmaster: based on the fact that sai.ok.gov has SPF and DMARC while ok.gov has nothing, we're guessing the state is not using ok.gov to send any email. If that’s the case, then DMARC and SPF for ok.gov are easy! Contact us and we’ll help you quickly secure this domain. Oklahoma.gov doesn't have any email authentication either.