by Gerasim Hovhannisyan, CEO and co-founder, EasyDMARC
Charities are lifelines for the most vulnerable people in society. They have proved essential during Covid-19, the cost-of-living crisis and following natural disasters such as the earthquakes in Turkey and Syria earlier this year. Their domestic and international efforts have been and continue to be crucial during times of hardship.
Like all organizations, charities are digitizing. They are offering online services and fundraising opportunities, meaning reliable and trusted digital infrastructure is increasingly important. But as their digital footprint has increased, so has their vulnerability.
For example, following the Turkey-Syria earthquakes prompted cyber actors to disguise themselves as charities to deploy phishing attempts, taking advantage of people’s emotions and those truly trying to help those affected by the earthquakes.
Similarly, charities’ email inboxes are vulnerable to phishing emails, leading to potentially devastating ransomware attacks or data breaches, which could cost them reputationally and financially. But, most importantly, it can stop charities from supporting those who rely on their help.
With dubious emails and phishing attacks being a gateway for many problems, the non-profit sector needs to implement technical tools to deal effectively with unwanted emails.
Why is technology such as email authentication so valuable?
What kind of email authentication technologies exist, and how can non-profit organizations implement email authentication tools?
SPF, DKIM, DMARC, and thorough authentication
To fully protect themselves, charities must implement the email authentication technology trifecta – SPF, DKIM and DMARC. These three technologies have different functions that together provide a defensive barrier for email inboxes.
When an organization uses Domain-based Message Authentication, Reporting, and Conformance (DMARC) on their domains, it means that the sender can identify legitimate emails by verifying those from protected domains.
When a DMARC email comes into the receivers’ inbox, it allows the automation of reporting, quarantining or rejecting non-legitimate emails.
For DMARC to operate, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) must be enabled.
SPF is crucial as it logs all the servers that are permitted to send emails from a domain. At the same time, DKIM signs all legitimate outbound emails with a cryptographic key.
Using SPF, DKIM, and DMARC together provides an almost foolproof solution to the majority of domain impersonation for phishing attempts.
Why email authentication is crucial to stopping phishing
Phishing emails are a common gateway for ransomware attacks, financial scams and data breaches. That means being proactive and stopping potentially destructive phishing emails before they can enter a user’s inbox is key.
In 2022, 97% of companies received at least one phishing attempt via email. With that in mind, email security leaders are increasingly focused on preventing the distribution of phishing emails.
Likewise, to stop malicious emails from landing in inboxes, charities should turn towards guiding phishing emails well before they reach a user’s inbox.
Email authentication allows for a self-service implementation that creates a transparent email ecosystem, ultimately resulting in a faster rejection process for phishing emails.
The authentication of emails will become even more important to charities with the advent of new tools, such as generative AI, which has sparked concern in the cybersecurity space. AI technology has empowered cyber actors to create targeted and well-composed emails in bulk.
The non-profit sector is falling behind
Non-profit organizations are attractive targets for cyber actors. It’s well-known that charities have limited funding and are more likely to favor spending these funds on frontline charitable work rather than ploughing it into resources, training, and technologies that help protect against cyber threats.
That’s not all. Charitable organizations often rely on volunteers who bring their own devices instead of relying on centrally issued IT equipment.
As a result, there is no unified standard of cyber defenses across IT equipment, meaning cyber actors can easily compromise access points.
Despite the sector’s vulnerability, recent research has revealed that only 1.2% out of almost 10 million .org domains have implemented DMARC to decrease the risk of phishing attacks out of 9.9 million .org email domains reviewed.
DMARC is designed to prevent phishing by automatically flagging and blocking any incoming emails that are believed to be spoofed.
However, for it to be effective, organizations must configure their systems to a “reject” policy which automatically blocks suspicious emails before they reach a recipient’s inbox.
With a “quarantine” policy, the messages are permitted but directed to the spam folder, while “p=none” allows all suspect emails through.
Unfortunately, the study found that 45.6% (171,486) of the 3.8% of global .org domains with DMARC had been improperly configured, resulting in organizations being unaware of received or blocked emails.
By continuing to leave inboxes unprotected from fraudulent emails, cybercriminals won’t stop viewing non-profit organizations as low-hanging fruits with high rewards.
Why email authentication comes out on top
When it comes to cybersecurity, there are three branches – people, process and technology. So it prompts the question, why does email authentication technology come out on top?
Email authentication can be more effective than cyber security training in preventing phishing attacks. Most phishing campaigns involve domain impersonation, where the phishing email sender impersonates a legitimate domain.
Therefore, email authentication ensures emails from domains are verified, and any unverified emails are rejected or directed to the spam folder, avoiding human error or lack of awareness that can occur if people are relied on solely to identify dubious emails.
Human error may be exacerbated at charitable organizations that often have a sizeable proportion of part-time staff, including volunteers, who may need more security training and awareness.
Authentication methods like DMARC, SPF and DKIM are crucial to preventing the risks attached to phishing emails. This makes email authentication an important part of any non-profit’s cybersecurity strategy.
The benefits of email authentication
Implementing email authentication tools is vital to the stable running of non-profit organizations and, in turn, benefits all people working with or benefitting from charities.
For non-profits, it is important that their reputations remain intact. Emails from a spoofed domain that leads to a hacking incident can severely damage their standing within their community.
An email authentication policy can protect their domain reputation from being negatively affected by malicious actors who use fake domains to impersonate them and launch phishing attacks.
Moreover, deploying DMARC can aid organizations in enhancing email authentication, ensuring that legitimate emails are sent directly to the intended recipient’s inbox.
This can be particularly significant for email campaigns developed to support a cause, as it ensures they receive maximum visibility and do not end up in the spam folder.
The benefits of email authentication go beyond supporting non-profits. Donors also benefit from email authentication as non-profits are often entrusted with sensitive personal and financial donor information, which requires adequate security measures to safeguard.
Email authentication adds an extra layer of security, protecting sensitive data from being compromised as a result of phishing, spoofing, or other email-based hacks.
Email authentication is critical for non-profit organizations and should not be viewed as optional but as a necessary layer of security. However, it should be implemented correctly.
Proper implementation of email authentication tools and policies can reduce the risk of costly cyber-attacks and phishing attempts that can lead to the compromise of both the non-profit’s and donors’ sensitive personal information and the loss of funds.