Why Trust is Key to Solving The Phishing Crisis





When phishing first arose from the depths of the dark web many years ago, these once simple attacks were lumped together in the same category as spam. Like spam, phishing emails were simply seen as unwanted emails. They just took things a step further by clumsily trying to get users to divulge their AOL login details. However, it’s been over twenty years since the dawn of the phishing era, and phishing attacks have grown more pervasive, more pernicious, and more sophisticated. And yet, many email experts still tend to classify phishing in the same family as spam. It may seem like splitting hairs, but sticking with this outmoded conception of phishing breeds a dangerous sense of complacency. It’s an attitude that keeps the security world stuck in an antiquated model of anti-phishing defense.

Recent studies show that 80 percent of IT professionals are very concerned about the state of their companies’ ability to reduce email-based threats.

Today’s content filtering-based techniques have evolved: The signatures for detecting malware have been updated. The algorithms for analyzing malicious content have advanced. But the model remains unchanged, which means most organizations are only looking at “what” emails contain and not “who” those messages are coming from. Unfortunately, that approach remains highly ineffective in stopping today’s advanced, socially engineered breed of phishing attacks, which rely on impersonations instead of (or in addition to) malicious content. Unlike spam, the modern phishing email doesn’t always contain identifiably malicious content. In fact, many phishing messages today don’t contain malware or malicious links at all, and their content may be virtually indistinguishable from a legitimate email. What’s more, modern phishing attacks are able to hide in plain sight within an increasingly complex email ecosystem. When the typical enterprise sends authorized emails from as many as 30 to 50 different

cloud-based applications, it becomes that much easier for the bad guys to fly under the radar. After all, they’re just another service using the organization’s domain to send email. The only way to defend against these modern phishing attacks is to use a new model for recognizing these attacks and establishing trust.


Phishing works today because email inboxes generally allow delivery of most incoming messages. No special privileges are required to get into an inbox, and messages are usually delivered regardless of what domain, service, or user account they originated from. This stands in marked contrast with almost every other modern form of information exchange or transaction. In most cases, we must establish trust through some form of authentication to verify we are who we say we are, and that we’re authorized to carry out the interaction. At the ATM we use PINs to prove our


connection to a bank account, at the airport we use passports to verify our identities, and in the checkout line we use credit cards equipped with special chips to authorize a transaction. No such verification is required of email senders to prove they are who they claim to be before dumping a message in someone’s inbox. Attackers increasingly take advantage of this lack of email identity verification to great effect. Last year the volume of worldwide phishing attempts doubled1. And as that volume increases, so does the sophistication and efficacy of these attacks. Since 2016 the impacts of phishing have increased significantly. In that time, phishing-initiated credential compromises have increased almost four-fold, loss of data has more than tripled, and malware infections have nearly doubled2. Meantime, the stakes for maintaining the integrity of the email ecosystem grow higher by the day. More than ever, email is where business gets done. Businesses use SaaS platforms to sign contracts, to process payroll, to share documents, and more. And across all of these disparate systems, the way users are notified of updates or prodded for action invariably comes back to email. Organizations need to close the email trust loophole. To protect their users and stop phishing, they need a Trust Layer — a layer in a multi-layered security model that affords inbox access only to senders that have been verified as trustworthy.

To learn more about the importance of a layered defense model to stop phishing, check out A layered defense to stopping phishing attacks.



The good news is that technical leaders in the email community have created infrastructure that makes it easier to verify that email senders are who they claim to be. Enforcing a standard of domain authentication called DMARC (Domain-based Message Authentication, Reporting, and Conformance) allows enterprises to ensure that only authorized senders can send email from their domain. This provides a valuable mechanism for maintaining brand integrity and for protecting internal users from being tricked by attackers impersonating co-workers or bosses. However, DMARC enforcement doesn’t entirely eliminate phishing attacks. That’s because it can’t stop untrusted email sent from domains that an enterprise doesn’t own. This means that any malicious phish sent from random Gmail or Yahoo account, or from accounts like amaz0n.com or spotifly.com, will still make it to the inbox. The new layer of trust for email must be able to vet the source of an email no matter whether it comes from inside or outside the organization. At the end of the day, it should offer a deterministic model where trusted messages can be mapped to a person or entity that can take legal responsibility for the message, and all other messages are considered untrusted and are therefore blocked or quarantined.

CONCLUSION Modern email needs a Trust Layer in order to eliminate modern phishing attacks. An anti-phishing company that originated the concept of the Trust Layer, Valimail closes the gaps left open by traditional email security approaches. Valimail provides customers a completely automated, cloudbased solution that blocks emails from deceptive, untrusted domains. Fake phishing emails sent from lookalike domains as well as friendly-from attacks are always blocked with no false positives.



This deterministic, domain identity-based approach removes the guesswork and catchup required with content filtering and AI/ML-based solutions. And because it doesn’t require inspection of the contents of email messages, it doesn’t violate user privacy. Contact us to learn more about the Valimail Trust Layer and receive a complimentary Phishing Analysis for your organization.





Valimail is an anti-phishing company that has been driving the global trustworthiness of email communications since 2015. The Valimail Trust Platform is a comprehensive solution for stopping fake email, protecting brands, and helping ensure compliance. Our uniquely authoritative anti-phishing approach protects customers’ own brand against impersonation globally and also protects them from malicious emails by ensuring that only trusted domains are allowed into the inbox. Valimail has won more than a dozen prestigious cybersecurity technology awards and authenticates billions of messages a month for some of the world’s biggest companies, including Uber, Fannie Mae, WeWork, and the U.S. Agency for International Development.