Uber, the ride-sharing app that's arguably one of the best-known brands in the world, is the phishing magnet you would expect it to be.
"We've had a couple of different instances where we've gotten more than a million [phishing attacks] in a single day," said Chris Cravens, head of technology services at Uber.
But it fought back in a way that many banks have been reluctant to fully try, even though Uber and other firms have reported some success in safeguarding their email and computer systems.
Either way the issue is rising high on the list of corporate security concerns, according to federal law enforcement authorities. The FBI's most recent Internet Crime Report identified business email compromise — phishing emails in which the sender impersonates someone at a company to conduct a scam — as the biggest internet fraud threat. The FBI said it received more than 7,800 complaints about these types of scams in 2015, with total reported losses of $246 million.
Moreover, 916 data breaches took place through phishing attacks in 2015, according to the latest Verizon Data Breach Investigation Report.
"Pretty much all sectors, private, public and consumer, are realizing how insecure email is generally," said Ben Knieff, senior research analyst at Aite Group. "It wasn't designed from the ground up with security in mind, so we shouldn't count on email as a reliable source. It's so easy to spoof, so easy to phish."
Not only are companies losing money through phishing, the reputation and legal costs may be escalating. In April the hard drive manufacturer Seagate Technology was hit with a class action that claims the company allowed hackers to obtain the financial data of 10,000 employees. In this case, one employee fell for a phishing ruse and forwarded W-2 forms for all current and former employees to cybercriminals. The complaint cites an email in which Seagate's chief financial officer told employees that "this mistake was caused by human error and lack of vigilance, and could have been prevented."
Banks are a major phishing target. "Ninety-one percent of all malware attacks on banks are delivered through phishing," William Nelson, the chief executive of the Financial Services Information Sharing and Analysis Center, said in a recent interview.
Since Uber began using an open-source technological standard called DMARC that banks have been slow to adopt, it has experienced a large drop in phishing attacks.
"When you've got a spoofed email address that's phishing somebody, like the CEO gets an email from ostensibly the CFO with a link in it, all of a sudden you're in trouble," Cravens said. "You can't stop those without DMARC and tools around it like context-based filtering."
DMARC is a protocol for checking the validity of email addresses. One part of it, the Sender Policy Framework, checks public records to make sure an email is coming from a source it should be coming from. Another part, the Domain Keys Identified Mail protocol, lets a signer attach a digital signature to each message that is being sent.
If hackers manage to compromise an internal email server, and thus apparently legitimately send email from the company's email domain directly, DMARC cannot catch that.
"However, if you've got reasonable protections around your perimeter and you're monitoring your infrastructure and you're doing all the other things that are necessary to prevent a gnarly breach, then you're in great shape," Cravens said. "The vast majority of the time phishing emails are coming from spurious email servers outside your perimeter that sit out there and send as someone they're not."
DMARC is not technically difficult to implement, Cravens said, unless there's a lot of sprawl in the IT environment, which of course is the case in a lot of banks, with their abundance of older servers and applications. Silicon Valley startups suffer from "cloud sprawl," with people in business groups operating shadow IT organizations and setting up services such as Salesforce.com customer relationship management, he said.
"The hard part is figuring out where all those outliers are and communicating with those people and coming to an understanding of what's really being used," Cravens said.
Not for Everyone
The top four U.S. banks all use DMARC, but only two — JPMorgan Chase and Citigroup — actually reject messages that cannot be authenticated in DMARC the way Uber does. The other two (Bank of America and Wells Fargo) monitor the unapproved messages. Bank of America and Wells Fargo declined requests for comment.
"The fact that they all have DMARC means they all realize the value of this," said Alex Garcia-Tobar, CEO and co-founder at ValiMail. "The fact that only two out of the four with their infinite resources have actually gotten to reject tells you how complex and how hard it is to fully get there."