Scammers send 3.1 billion domain spoof emails a day. Here’s how to protect yourself (and protect your business)


How do you know that an email from your bank is really from your bank? Or that an email from your boss is not from a scammer in Ukraine?

Short answer: you don’t.

Between 1 and 2% of all emails are scams, says email security company Valimail. They are unscrupulous people posing as a company or organization or person you know, trying to get you to do something like give up your bank details, send a payment, or disclose secret information. On the surface, an email might look good, saying it’s from, for example. It is actually from a random domain controlled by a hacker who is seeking to illegally divert funds from you or your company accounts.

With over 300 billion emails sent daily, that means 3-6 billion scam attempts per day. More than 90% of cybersecurity attacks start with email, Valimail says.

That’s why the company has partnered with Twilio SendGrid to validate email sources and avoid scams like phishing, which tries to get confidential company or personal data, before they start.

Now it’s a special dangerous weather

Scam artists are trying to capitalize on COVID-19 by stealing funds from the $ 349 billion Federal Salary Protection Program.

“Cybercriminals never let a crisis go to waste. Phishing has emerged to exploit uncertainty and fear at a time when people work from home, away from IT support and with an even greater reliance on email. ” Valimail CEO Alexander García-Tobar said in a statement. “Impersonation is the attack vector used by 90% of spear phishing attacks – email sent as your coworkers, your boss, or a trusted organization – and domain spoofing poses unique challenges for both detection and prevention. “

According to the FBI, these types of scams have cost $ 26 billion in the past six years.

And these scam attempts add up to 90% of emails that are annoying but not dangerous: spam. Since roughly 90% of email is spam, it is also being bombarded by its share of 275 billion spam and political emails.

The technology that Valimail is using to defend against phishing is called DMARC, a widely accepted email authentication protocol. By using this protocol correctly, a company can ensure that anyone using a modern email client (80% of email clients perform DMARC checks) will only see the email claiming it is from them if it really is. . (In case you were wondering, Gmail uses DMARC just like and most of the other popular email providers.)

By partnering with Valimail, SendGrid ensures that its customers can avoid being counterfeited. And they can quickly make sure that all the applications they work with that send email are probably validated and configured.

Oddly, that can also help with the deliverability of your own email – the email you send.

Valimail Vice President of Communications Dylan Tweney told me that my personal domain,, was not protected by DMARC. That means someone could fake my domain, act as if it were me, and spam others. If detected, the email would be suspicious in the future, resulting in my actual emails having a harder time getting through spam blockers.

I asked Tweney a few more questions.

Koetsier: What percentage of email is spam?

Tweney 90% or more, according to most industry sources. Almost everything is leaking for now.

Koetsier: What percentage of email is some kind of scam or phishing attempt?

Tweney Estimates vary. Avanan set the phishing rate at approximately 1% of all email volume. Valimail has measured the domain impersonation rate (when the sender uses a legitimate domain in the “from” field that is not actually entitled to us) at 1-2% of all email volume. Gmail recently announced that they are blocking 100 million phishing messages per day.

Koetsier: How much does this new solution reduce those problems?

Tweney The new solutions allow domain owners to protect their domains from counterfeiting using a standard called DMARC. About 80% of inboxes worldwide will perform DMARC checks on every incoming email message, if the domain the message appears to be from has configured it. Depending on the DMARC configuration, the receiving inbox will block or spam any message that has not been authenticated by the domain owners. Almost all phishing emails use a bogus sender identity (pretending to be a person or company you would trust).

It varies by month, but 30-60% of those fakes are using fake domains. Therefore, the DMARC application could block 30-60% of all phishing.

But note that this would also force phishers to use more obvious types of counterfeits, such as a disposable Gmail account where the sender looks like “Bank of America”.

Koetsier: How much can you potentially save companies?

Tweney It really depends on how much email companies use and whether they consider their email identity to be an asset worth protecting or not. It is worth noting that 30% of the Fortune 500 are protecting their domains in this way, and 90% of the domains of the US federal government. USA

Koetsier: How does it affect each user’s email experience?

Tweney It makes the email you receive more reliable. If your bank is protecting your domain from spoofing with these tools, you can be assured that any message in your inbox that has the bank’s domain name in the From field is legitimately from your bank. If you wonder if a domain is protected or not, it is easy to verify it. You can enter any domain in our domain verifier here.

For example, I realize that your domain is still fake.

Koetsier: Is email usage still increasing or is it declining with Slack, Microsoft Teams etc.?

Tweney Email continues to grow. 3.9 billion people worldwide use email, more than half the world’s population of 7.7 billion. This will increase to 4.4 billion email users by 2023. 293 billion email messages are sent / received every day. (Growing to 347 billion by 2023.)

It is the latest open standards communication platform that is not controlled by any company. While people use it less for person-to-person communication, it is still one of the most effective forms of business-to-business and business-to-consumer communication.

Koetsier: How does this increase the deliverability of your own messages? How much increases that delivery capacity?

Tweney It is unlikely that it will make a big difference to consumers’ own messages. But for companies that use these tools to get to the DMARC application, deliverability increases by 10% or more, typically. In cases where a domain has been so counterfeited that inboxes around the world have given it a truly spammy reputation, the deliverability can increase much more. The UK Tax Revenue Service experienced an increase in deliverability from 18% to 98% only with the implementation of DMARC:

Koetsier: We tend to forget about email. How large is the attack surface … or what percentage of the company’s hackers originate from email?

Tweney 90% or more of all cybersecurity attacks originate from email. Many sources on that. Verizon’s Data Breach Investigation Report has consistently placed it as the vector for cybersecurity attack n. ° 1.

IT people tend to take the approach that this is a human engineering problem and that the solution is to better train users (“be careful when clicking”). This doesn’t work too well because phishing emails can be very difficult to distinguish from the real thing, even for sophisticated cybersecurity professionals. That’s doubly true when email appears to come from the domain of a trusted company. One type of phishing attack, commercial email compromise (BEC), is particularly pernicious. That’s when someone e-mails the CFO pretending to be a contractor the company works with, sending a new urgent invoice or new bank deposit instructions. Or when hackers send an email to an executive assistant pretending to be the CEO asking for a money transfer, or gift cards or something. The FBI attributes this to losses of $ 26 billion in recent years.

Koetsier: What are the individual risks of users and / or consumers, and how do you protect them from that?

Tweney By protecting the brands they trust, Twilio SendGrid – Valimail partnership helps make the emails those brands send more reliable. That means it’s less likely to be phishing by an email that appears to be from your bank, your movie streaming service, or your favorite e-commerce provider, but is actually a fake that comes from a phisher. In this way, you’re more protected against losing money from phishing scams, or worse, accidentally entering your login credentials on a phishing website designed to steal them.

Koetsier: Thanks for your time!