Over the past few months there have been several cases of criminals impersonating government departments in phishing campaigns, prompting Sen. Ron Wyden (D-OR) to write to the Department of Homeland Security calling for the use of DMARC to prevent phishing attacks using federal email domains.
Phishers are gaining access to real domains used by federal agencies and are sending out phishing emails. The official domains add authenticity to the phishing attacks, increasingly the likelihood that email recipients will open the emails and take whatever action the attackers suggest.
DMARC can be used to prevent spoofing of domains. DMARC uses two validation systems: Domain Keys Identified Mail and the Sender Policy Framework to verify the sender of the email and determine if the domain is being used by a legitimate user or a third party.
The use of DMARC to prevent phishing attacks is widespread. DMARC has already been adopted by AOL, Yahoo and Google to prevent phishing attacks, although not by government agencies. The U.S. government has approximately 1,300 domains, although estimates suggest only 2% are protected by DMARC.
The UK government has recently adopted DMARC following an increase in impersonation attacks, yet the U.S. lags behind. Sen. Wyden says in the letter, “Government-wide implementation of DMARC has had a huge impact in the United Kingdom. In 2016, the U.K. required all government agencies to enable DMARC. As a result, the U.K.’s tax agency has stated that it reduced the number of phishing emails purporting to come from that agency by a staggering 300 million messages in one year.”
There is a clear need for additional protections to be put in place to prevent impersonation attacks, as has clearly been highlighted during tax season this year. The IRS reports there was a 400% increase in impersonation attacks. Wyden also points out in the letter that even the Defense Security Service email domains have been used in phishing attacks.
Wyden said it is necessary for federal agencies to adopt DMARC to prevent phishing and suggests the Department of Homeland Security incorporate DMARC into its Cyber Hygiene Program and scans all federal agency systems. He also suggests the General Services Administration should keep track of phishing attempts and analyze DMARC reports to try to find out who is attempting to impersonate government agencies.