Since we deal with the majority of banks in our industry, one trend that we noticed is the number of banks that are using email authentication in 2017. Only a handful of banks had email authentication back in 2016, and now it seems that about one-in-twenty community banks do from our data. Given that cybersecurity remains in almost every bank’s top five priorities for 2018, ensuring that emails are from who they say they are is now mandatory for every bank. The fix is easy and inexpensive, so there is little excuse not to take a step towards a safer bank. In this article, we will explain what email authentication is, how to check if your bank is protected (it is probably not), the data on what banks are doing, the cost and how to implement for 2018.
A Brief Summary of Email Authentication
Most emails are sent through a protocol called SMTP. Unfortunately, SMTP doesn’t have a true authentication mechanism which means that anyone can send an email in the name of your real bank’s email address. Conversely, without authentication, you have no idea if the sender of an email is really who they say they are. Email authentication uses one or more of several additional protocols to now give the bank comfort that they are likely sending and receiving verified emails. This limits phishing attacks and spoofing of emails.
Statistically, the most common cyber problem we have as an industry is when a bank employee opens a fake email that asks the recipient to download a file or click which then executes code. Most data breaches (53%), according to an IBM study are a result of the employee not being able to recognize and authentic email. Sure, you can have your employee not open anything, but the loss of productivity also comes at a cost.
A recent survey by ValiMail shows that only 2% of financial services firms have successfully enforced email authentication. That is a scary number because the criminals can check if you are using email authentication so you shouldn’t make it easy for them.
Many banks, for instance, fail to publish their DMARC records and not use this valuable tool to gain protection against fraud and phishing. Almost as bad, while some banks do publish their domain, they leave their policy in a “monitoring-only” mode and thus fail to lock down their email domain rendering their registration essentially worthless.
You can test your bank’s domain using a variety of tools, but one third-party tool that we like is: https://mxtoolbox.com/DMARC.aspx as banks can run a whole series of tests including checking SPF and DKIM protocols as well as doing a review on the overall health of the domain. A simpler tool can be found here https://stopemailfraud.proofpoint.com/dmarc/ . Run your bank’s domain and then put in a bank such as “bankofamerica.com” and see what a domain looks like that has full email authentication protection.
Putting This Into Action
Most banks handle their own email management and so completely control the authentication process. If not, banks need to check with their email service provider to find out their authentication options. For the most part, the implementation of email authentication is quick and straightforward and is just a question of correctly configuring what is called the “SPF,” “DKIM” and/or “DMARC” records to your current domains.
Should you find that your bank is not fully protected, the next step is to inquire to your IT department and send them here https://dmarc.org/ to better understand how to register your domain properly.
Costs for registration and monitoring are largely internal and are less than $0.25 per user a month. Banks can also subscribe to packages from third-party providers that charge a couple of hundred dollars per year to cover thousands of emails. On average, the median cost for a bank is approximately less than $3,000 per year depending on size. Compare that cost to the cost what your bank or your customer would go through by clicking on an email that they thought was from a reliable source only to find out they are the new owner of malware.
Cybersecurity is hard, but this is an easy and inexpensive starting point that banks need to fix. As banks get more serious about cybersecurity, adding an email authentication layer that can reduce the probability of breaches, reduce the amount of spam from employees’ inbox and enhance the delivery of the bank’s marketing emails. If your bank has not authenticated its email domain, consider putting it on your initiatives list for 2018.
Submitted by Chris Nichols on December 11, 2017