2FA and DMARC

2-factor authentication has become more vulnerable to attacks, making DMARC even more important. Recently, a researcher in named Piotr Duszyński released an open source project that allows attackers to automate a phishing attack that bypasses 2-factor authentication. The new tool, named Modlishka, allows attacker to bypass all types of 2-factor authentication except hardware security keys […]

The Value (and Risk) of DMARC Quarantine

Protect your paycheck! Direct deposit make depositing your paycheck automatic and simple… Until something goes wrong. That’s what recently happened to several Wichita State University (WSU) employees. They received an email with a link prompting them to login using their MyWSU ID and password. As it turned out, that was a phishing email that stole […]

Email Spoofing and your Bank

Alert!! STCU is warning members about a phishing email that is circulating in an attempt to steal login credentials from members. Phishing and Your Bank According to the report, there is an “official-looking” email claiming to be from STCU (Spokane Teachers’ Credit Union) requesting that members click a link and login to their account. Instead, […]

DMARC in Higher Education

There was another news article about universities that became the targets of a phishing attack. Unfortunately, it wasn’t a very big headline since it is all too common for a university to be targeted. An article from bleepingcomputer.com stated that a group of hackers continue to primarily target universities using a variety of phishing techniques. […]

Transmitters, Senders, Forwarders, Receivers, & Reporters

Underrstanding DMARC reports: DMARC contributors

A basic DMARC report contains a list of IP address and whether those IPs passed or failed DMARC based on SPF and DKIM. Not all of the IP address belongs in a domain’s SPF record; there are other reasons for an IP to be listed on a domain’s DMARC report. When analyzing DMARC data, It […]

How to Verify an Email’s Sender

You have an email. It looks legit and you really want to click that link, but how do you verify that it’s not a phishing scam (and you’re about to give away personal information, money, or access to your accounts or computer)? Phihing is becoming increasingly common, so it’s good to know how to identify a […]

Instant Setup Instructions For Cloudflare Users

Cloudflare instant setup Instructions for DMARC

Great News! Your domain registrar supports instant setup of DMARC reporting and SPF compression! Get started today without any complicated DNS changes. But how? In order to set up a domain with Fraudmarc, you need to have control of that domain; you need to be (or work for) the domain owner. This is because you’re […]

Instant Setup Instructions For GoDaddy Users

GoDaddy Instant Setup Instructions

Great News! Your domain registrar supports instant setup of DMARC reporting and SPF compression! Get started today without any complicated DNS changes. But how? In order to set up a domain with Fraudmarc, you need to have control of that domain; you need to be (or work for) the domain owner. This is because you’re […]

Stop spoofing Gmail!

Stop Spoofing Gmail

Almost everyone has a personal Gmail account, maybe two or three. But Gmail is not meant to be used for businesses to send email, even small business, even tiny businesses. Gmail obviously doesn’t want you to misuse their service like this. When you send your business email from [email protected], you are claiming to be gmail.com- […]

Failure/Forensic Report? What’s that?

DMARC forensic/failure reports

What is a forensic report? There are two types of DMARC reports. The aggregate reports and the failure reports (also called forensic reports). Data from aggregate reports are included most basic DMARC reports and can be viewed in Fraudmarc’s DMARC and senders reports. The failure reports are different; they provide insight into the email messages […]

The Emmy Results Really Could be Skewed

Emmys phishing 2018

Nathan, this is for you: You may have seen the video in which Nathan Fielder interviews a voting security expert who describes a scenario that could be used to skew the results of the Emmys. The plan is very detailed and easy to carry out, although slightly complex. That may have left you with a […]

How to send a Spoofed Email

how to send a spoofed email

Sending an email from an email account that you don’t control is called email spoofing. The problem with spoofed messages compared to other phishing messages (e.g. Nigerian Prince schemes) is that spoofed emails usually impersonate someone the recipient trusts. Essentially, the attacker is claiming the “sender’s” identity and abusing their credibility to trick the victim […]

Phishing is NOT ‘OK’

Oklahoma phishing Attack

Oklahoma state auditor’s office has become the target of a phishing attack. We’ve been warning that state governments need to start using email authentication; this is exactly why!   According to this article, there’s an email circulating claiming to be from the Oklahoma state auditors office (from someone named Kevin Anderson) that encourages recipients to […]

How to add Fraudmarc to your email authentication policies (General Guidelines)

DMARC setup guide

It’s time to set up Fraudmarc on your domain. You’ve done everything else you can do- you added your domain, you… OK, so that’s all you’ve done so far. Nonetheless, you need to setup up your domain with Fraudmarc now. But how?? Here are some *general* steps for making the necessary DNS changes to set […]

How (and Why) Fraudmarc Plans Are Hosted

Why Fraudmarc offers hosted plans for DMARC

You’ve added a domain to protect with Fraudmarc, Great! Welcome to Fraudmarc. The next step is setting up your domain with Fraudmarc. Here’s a little bit about how Fraudamrc works and why we’ve set things up this way. What does setting up my domain with Fraudmarc mean? To set up your domain with Fraudmarc, you […]

Why You have to Wait for DMARC

Why you have to wait for DMARC Reports

You just finished setting up DMARC for your domain. Congratulations! You’re on your way to securing your domain. Now, you have to… wait a little… We all hate waiting, but it this case it’s necessary to wait at first. DMARC has two main functions- reporting (for monitoring and configuration) and conformance (for controlling unauthenticated email). […]

Challenge: Does DMARC Really Increase Email Security?

DMARC improves Email Security

We’ve been helping businesses with SPF, DKIM, and DMARC for years, so we’ve heard a lot about it. People like to make outrageous claims about it. As a result, there’s a lot of misinformation out there. We recently came across a claim we hadn’t heard before. This time, the claims are based on how DMARC […]

Another Successful Spear Phishing Attack

MassCEC spear phishing attack

According to the Boston Herald, The Massachusetts Clean Energy Center fell victim to a business email compromise scam (BEC scam), which is a type of phishing attack also called spear phishing. Spear phishing? In spear phishing scenarios, the attacker sends an email to a particular individual, the victim, claiming to be another individual, the target. […]

A Brief History of DMARC

A brief history of DMARC

Fraudmarc is changing the way business think about email authentication by providing universal access to DMARC through free tools, free and paid options of hosted plans, and Fraudmarc CE, the open source version of Fraudmarc’s DMARC report processing. Fisrt the was emails, the phishing. SPF and DKIM didn’t complete solve the problem, so DMARC was […]

How Fraudmarc Is Spreading DMARC Across the Internet

Fraudmarc white paper

DMARC. It solves a widespread and costly problem, and it’s been around for over 6 years. So why is it still rare for domains to use its protection? Several factors interfere with proper DMARC implementation- It’s not well understood, the internet doesn’t always offer the best advice concerning DMARC, the default reports are not very […]

Fraudmarc CE: Open Source DMARC

Fraudmarc CE- Open Source DMARC reporting

 DMARC has been around since 2012, yet adoption is still below 0.1% across the Internet… and spoofed emails still plague many businesses, damaging brand reputations and cause substantial loss. DMARC’s value as a security measure is widely recognized; governments have mandated it of their agencies and tech companies who have DMARC policies have demonstrated its […]

2017 FBI Internet Crime Report

It all starts with phishing… This month, the FBI released its 2017 Internet Crime report, which details the amount and type of internet crime reported over the year. According to the report, 3 primary types of attacks were reported- Email Compromise: Attackers send Fraudulent emails to victims requesting payments to fake locations (aka, phishing!) Tech […]

What DMARC Can (& Can’t) Do for Domains

Every domain should implement DMARC; it solves many email security problems. However, like all solutions, it has some limitations. It can’t completely protect domains from every type of phishing scheme or social engineering attack. As an open Internet protocol, DMARC is very cleared defined. It is a powerful tool for protecting brand identity. However, if […]

Overly permissive ‘all’ terms

SPF- Avoid Overly permissive All Terms

+all your domain are belong to them When you allow email to be sent on behalf of your domain by anyone anywhere, then your domain does in a sense belong to anyone who wants it. A common error made by organizations in setting up their SPF records is the use of an overly permissive all […]

How to Implement a Reject Policy

If you don’t have a DMARC Reject policy on your domain, you’re not alone—97% of Fortune 500 companies don’t have a Reject policy, either. Following some basic guidelines can make implementing a Reject policy easier. Here’s what you can expect. (NOTE: before starting, it helps to know a little about these policies. If you want […]

DMARC and State Governments

DMARC and state governments

You may have heard that the DHS mandated DMARC for all federal agencies last year. Many federal agencies are still working on it, despite the expired deadline. But what about state governments? There has been no mandate for state governments. We wanted to find out what states are doing (if anything) to protect their domains […]

Phishing Poses the Biggest Threat to Your Email According to a Google Study

It’s highly likely that you or someone you know has had a personal email or social media account hijacked at some point. Once hijackers gain access, they often then send out messages to your entire contact list to gain control of their accounts too. Such attacks expose a ton of sensitive personal data. Hijackers use […]

WARNING: Phishing attacks likely for Tax-Related Service Providers!

Tax related phishing scams

According to a study by the Global Cyber Alliance, some of the top tax-related services providers don’t secure their domains with DMARC, leaving them open to phishing attacks. Fraudmarc examines the email security scores of many top tax related service providers. Email Authentication and Tax-Related Companies DMARC has been around for almost a decade, and […]

Understanding Fraudmarc’s Email Security Scores

Fraudmarc ranks the security of every domain’s email using an Email Security Score. You check the Email Security Score of any domain here. Why Evaluate Email Security? As phishing attacks  become more sophisticated and frequent, email security is more important than ever. Fortunately, there are email authentication protocols exist to help businesses secure their domains […]

The Growing Risk of Phishing Attacks On Your Cryptocurrency Wallet

According to CoinMall, there are 4 ways that you could lose your cryptocurrency to phishing: email phishing, ads phishing, chat phishing, and unconventional methods (SMS phishing and targeted social engineering attacks). All of these phishing methods involve an attempt to trick you into entering your sensitive data into a malicious website. Mass email phishing and […]

Netflix’s use of DMARC reduced damage from huge email scam

Netflix phishing attack November 2017

You may be aware that, last Friday, scammers sent out a phishing email to up to 110 million Netflix subscribers. The email included a link to a fake Netflix website that asked users to login and enter their credit card information. However, a clear indication of a scam can be found higher up on this […]

What is SPF?

spf check example

SPF stands for “Sender Policy Framework,” and it is simply a list of IP addresses that you have allowed to send email on behalf of your domain. It is published in the form of a DNS TXT file (see “what is DNS”). SPF was developed in the early 2000s as an anti-spam protocol to stop […]

Multiple SPF records

Don’t fall for bad advice The second most common SPF error made by organizations is publishing multiple SPF records for a single domain. This may be in part due to bad advice offered by various email service providers about setting up SPF records. People are sometimes told to create a new SPF record without anyone […]

DNS lookup limits on SPF records

It is easy to exceed the allowed number of DNS lookups The most common SPF error made by organizations is having too many DNS-querying terms in their SPF record. The following SPF terms cause a DNS lookup: include a mx ptr exists redirect Each time these terms are found within an SPF record and within […]