Email Security: 2017 in Review

In 2017, Statista estimated that, globally, people sent about 269 billion emails per day. Email’s staying power continues to showcase its ability to adapt to the ever-changing landscape of personal and business communications. However, as with any good thing, there’s always a chance of corruption. While 2017 brought with it data breaches and privacy issues, 2018 is already looking like the year where privacy and protection gains ground worldwide.

1. Data Breaches, Phishing, and Email Security

Large companies made headlines in 2017, falling victim to cyber attacks and data breaches that compromised millions of customer records. Many of these cyber attacks were the result of phishing or spoofing techniques that use various methods designed to trick the recipient into giving up his or her personal information. Phishing emails and malicious attachments are still the main causes of data breaches, with 91 percent of all cyberattacks originating by a phishing email.

During May through July 2017, Equifax, one of the three main credit organizations in the United States, suffered a data breach that impacted as many as 143 million consumers in the US. Cyber criminals gained access to names, social security numbers, credit card numbers, and other personal identifying from the breach. The attack was traced to a simple software flaw that led to the vulnerability being exploited. To make matters worse, Equifax customer support referred those potential impacted to a phishing knock-off site instead of their own information site about the breach.

Not to be outdone, Uber recently disclosed in November that hackers stole 57 million driver and rider personal information including phone numbers, email address, driver license numbers, and names. The attack actually took place in 2016, but was concealed for more than a year and included a $100,000 ransom payment to the attackers. Hackers are leveraging the personal information stolen, including names and email address, to target and personalize phishing emails to attempt to gather login information or download malicious payloads.

Yahoo, who was acquired by Verizon in 2016, recently clarified in October 2017 that in fact all 3 billion of its accounts were hacked in a 2013 cyber attack, tripling its earlier estimate of the size. Hackers were able to use a ‘spear phishing’ email to gain access to a Yahoo employee’s credentials to break into the company’s systems. Yahoo remains the largest data breach of the 21st century that we are aware of.

Silver lining? Email authentication like DMARC and security made strides this past year, aiming to fight back at email phishing serving as the vehicle for many data breaches. This past October, the Department of Homeland Security announced it is requiring federal agencies to implement DMARC on their sending domains within 90 days. Furthermore, ISPs that support DMARC has significantly grown over the past year, with 4.8 billion inboxes now supporting DMARC, representing 76 percent of the current global email accounts.

“Widespread adoption by the USG will be viewed by other governments and large businesses as a positive signal of the value of DMARC in protecting against BEC/EAC scams and other prevalent email-borne attacks,” said Paul Midgen, 250ok Advisor and co-author of the original DMARC specification. “If they were sitting on the fence, the outcomes experienced by these organizations should help push those considering adoption towards getting started with a monitor-only policy.”

2. Email Privacy and Harassment

While not a new topic, email harassment and invasion of privacy tactics grew in importance this year. Privacy is a right that humans feel strongly about, and their email inboxes are no different. An email address is your digital identity. It’s how you keep in touch, what you use for accessing content, and its how you’re known. The following are highlights that jeopardized the importance of email privacy and your data.

List bombing or subscription bombing, a cyber criminal tactic that leverages bots to create mailing list subscriptions request at rates over 1000 per minute, shook the email industry in late 2016 and into 2017. This tactic presented a unique problem to ESPs, marketers, and anti-spam vendors alike, as it allowed cyber criminals to create an email ‘DDOS’ style attack and harass individuals. Unique attacks such as these create sense of collaboration across ISPs, abuse desks, security vendors, and ESPs to share ideas and tactics aimed at combating abusers to stay one step ahead.

Encryption of email during transit has also seen a rise in importance this past year, primarily with the adoption of email providers implementing TLS or Transport Layer Security. TLS encrypts an email in transit making it harder for others to reach what you are sending. According to Google, inbound email encryption into their networks at the end of November 2017 rose to 90 percent, compared to just 63 percent at the beginning of 2016. This is a great sign that more marketers and senders are encrypting email while in transit to their customers to protect their privacy. Google also announced in June of 2017 it would stop scanning inboxes of Gmail’s free user mailbox service for ad personalization.

3. Global Email and Privacy Laws

Many countries and governing bodies around the globe took steps in updating digital communication laws and governance this past year. Marketers, especially those in Europe, are gearing up for new changes to the General Data Protection Regulation (GDPR) rules that go into effect in May 2018. This legislation applies to all EU businesses that handle personal data and increases the definition and accountability of clear, unambiguous consent.

Over in Canada, their Government announced suspending the provision, knows as the private right of action, apart of Canada’s Anti-Spam Legislation (CASL). The provision would have allowed consumers to sue any company that sent email and violated this law. July 1st, 2017 marked the final rollout of CASL and the end of the transition period for implied consent. 2017 saw the first fine levied against a small business owner to the tune of $15k. Total fines issues from infringement of CASL since 2014 total more than $1.5MM.

Here in the US, the FTC is currently reviewing CAN-SPAM, the United States law that regulates commercial mail. Enacted in 2003, CAN-SPAM is in need of a review as the digital landscape has dramatically changed over the past 14 years. This past June, the FTC recently opened a request for comment on ‘the efficiency, cost, benefits, and regulatory impacts of the Rule’. Numerous email vendors, anti-spam groups, and advocates have submitted comments to the FTC before the August 31, 2017 deadline.

In Closing

In 2017, email made headlines across the world for political reasons, cyber attacks on high profile business, and abuse of personal privacy. Countries prepared for the digital marketing landscape of the future with new governance and legislation aimed at protecting subscribers and holding marketers accountable. To all the pundits out there, email is not dead, it is alive and well and I look forward to another exciting year in email come 2018!

This is a Security Bloggers Network syndicated blog post authored by Anthony Chiulli. Read the original post at: Security – TechSpective