Cybercriminals capitalize on kindness. Because charities handle large amounts of money and tend to fall behind other industries when it comes to adopting the latest cybersecurity defenses, they are prime targets for cyber attackers to take advantage of human generosity. Imagine this: A malicious actor creates a fake email address that impersonates your organization and sends a mass phishing email asking for donations. Several people contribute money to what they believe is your reputable foundation — and suddenly, donations intended to provide a backpack to a foster child, rebuild a community struck down by wildfires, or clean plastic out of a river are instead pocketed by a criminal. Successful brand impersonations can severely damage reputation, lose major donors, and most importantly, steal money away from the cause at hand. DMARC helps by protecting charitable institutions from being spoofed in phishing attacks. And when it comes to sending legitimate email to patrons, DMARC can also improve email deliverability, streamlining vital communication and advancing your cause.
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol used to protect an organization’s email channel from spoofs, phishing scams and other email-borne attacks. Established by Google, Yahoo!, Microsoft and others in 2012, DMARC builds on existing email authentication techniques SPF and DKIM to strengthen your domain’s fortifications against fraudulent use. DMARC is the best way for email senders and receivers to determine if a given message is authentically from the sender and decide what to do if it is not. It also helps improve your organization’s email deliverability to the inbox, meaning you can reach more people more often.
Malicious actors often use the goodwill of charities and nonprofits against them in times of chaos. During the coronavirus pandemic in 2020, cybercriminals spoofed the World Health Organization’s (WHO) domain, sending thousands of fake emails that asked recipients for donations for coronavirus relief. Unfortunately, this was not an isolated incident — the impersonation of charities and other nonprofits is a common trend during and after crises. Once these phishing scams are uncovered, donors may be hesitant to support your organization or even open your emails when they appear in the inbox. Charities must do everything in their power to protect against criminal acts that hinder the flow of aid where it is most needed.
As a charity, you want to be sure that you’re fully focused on helping those in need and making the world a better place. But this very same laser-focus on the charitable work itself has often left blind spots in charities’ cybersecurity measures. A study of 78,000 charity domains in the UK found that less than 1% of UK charities are protected against email impersonation. Additionally, a global study of nonprofit organizations in general found equally concerning results. In Canada, 95% of nonprofit organizations have not adopted a DMARC policy at all, followed by Australia (92%) and the U.S. (91%). In each of these countries, less than 1% of nonprofit organizations had a DMARC policy set to reject — the highest level of brand protection. Cyber attackers are aware of this vulnerability within the global charity sector, which is why it’s crucial stay one step ahead by implementing a DMARC policy on all owned domains.
Patrons put their trust and money in the hands of charities, so it’s absolutely vital to secure all channels of communication and ensure that donations reach their intended destination. DMARC empowers your organization to take control of its email domain while experiencing the following benefits:
Online brand protection: Charitable organizations are common targets for cybercriminals to impersonate for malicious purposes. DMARC protects your brand’s integrity by keeping your organization out of their arsenal of easily spoof-able email domains.
Increased email deliverability: By deploying DMARC authentication, you signal to email receivers that your organization’s emails are legitimate, ensuring they’re delivered to the inbox rather than blocked or sent to the spam folder.
A published policy that instructs ISPs and other email receivers to deliver, quarantine or delete emails: With DMARC, you can decide if potential abuses of your email domain are solely reported back to you without further action, quarantined for further review or — the golden standard — automatically rejected.
Greater visibility into cyber threats: DMARC’s reporting capability enables you to monitor all authorized third parties that send emails on your behalf, alongside those that are not authorized. This helps ensure compliance with security best practices and aids investigations into email security or phishing issues.
95% Of all cyberattacks start with email, and of those email-borne attacks, 91% are phishing scams. Why? The hard secret of email is that because it is so easy to set up, it’s easy for cybercriminals to create a fake email account exploiting your organization’s email domains. Countless reputable charities have been exploited by criminals to execute phishing and BEC attacks on kind and generous individuals. Because charities rely so heavily on credibility and trust, any association with criminal phishing campaigns can be devastating — especially when they could have been prevented by enforcing stricter security standards like DMARC.
In order to achieve maximum return on your DMARC investment, charitable organizations must complete the necessary steps to correctly implement DMARC. Domain owners must kick-off and manage a DMARC project which includes discovering all of your owned domains, learning what legitimate services are sending email on your behalf, properly configuring those services from an SPF and DKIM perspective, and of course publishing a DMARC record (try our DMARC Record Generator). DMARC Analyzer offers different levels of tailored services to help guide your organization through the process. Though DMARC is a key part of any cybersecurity program, it is not a standard that can be deployed, configured, activated, and then forgotten. It’s imperative that after DMARC has been successfully implemented – set to “reject” for all of your domains – that your organization establishes a program of ongoing monitoring, as DMARC is not a set-it-and-forget-it standard. In 2020, Mimecast embarked on its own journey to use DMARC across all of our owned domains. The project was documented in a three-part blog series for other organizations to use as a resource.