Tech companies collaborate to fight phishing
Email, technology and financial service providers join together to create tools to cut fraudulent mails
A group of leading email service, technology providers and financial institutions, have announced the formation of a working group to help combat the threat of phishing.
The DMARC.org (Domain-based Message Authentication, Reporting and Conformance) technical working group, will look at developing standards that will help to cut down the number of deceptive emails, and has already been working for 18 months in private, on email authentication solutions.
The group includes AOL, Gmail, Hotmail, Yahoo! Facebook, LinkedIn, Bank of America, Fidelity Investments and PayPal.
"Email phishing defrauds millions of people and companies every year, resulting in a loss of consumer confidence in email and the Internet as a whole," said Brett McDowell, chair of DMARC.org and senior manager of Customer Security Initiatives at PayPal. "Industry cooperation - combined with technology and consumer education - is crucial to fight phishing."
The group will primarily look to develop a standards-based framework which provide a feedback loop between sender and receiver, to better authenticate mail at an infrastructure level. At present, the email receiver lacks a way to know if a sender is using standards such as SPF and DKIM for authenticating their messages, creating a lack of simple or reliable ways to separate legitimate but unauthenticated messages from possible fraudulent messages.
By introducing a standards-based framework, DMARC has defined a more comprehensive and integrated way for email senders to introduce email authentication technologies into their infrastructure. For example, a sender could set policies to easily request a provider to discard unauthenticated email in order to block phishing attacks. The specification also creates a mechanism for email providers to send detailed reports back to email senders to help catch any gaps in the authentication system. This feedback loop raises the trust level within the email ecosystem and makes it easier to detect and stop phishing attempts.