The SolarWinds supply chain attack will likely prompt scores of compromised companies to send critical data breach notifications to their customers. But how many of these email notifications will go ignored, bounced or quarantined?
Even customers who no longer use a particular company's services, or have unsubscribed from its marketing communications, or have set emails from that company as spam must still receive these so-called "mandatory" emails. And so it is imperative that senders follow guidelines that make their vital communications as secure and trustworthy as possible.
Breached companies "have two problems," said Michael Landewe, Avanan co-founder and lead threat hunter. "It starts with being hit." Next, "you have to protect your customers because they are now a target. That’s your job. The way you respond is the way you retain your customers."
Consequently, the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) last week released best practices recommendations for sender organizations on securely delivering mandated emails. Additionally, the organization shared with SC Media additional recommendations for recipients of these emails.
“The number of data breaches over the last few years, as well as updates to privacy legislation around the world, have sparked discussions among the sender community at M3AAWG on how to effectively handle these mandated email communications,” said Tara Natanson, senders committee co-chair at M3AAWG.
“Oftentimes, the legal requirements placed on companies to conduct mass contact campaigns cut directly against established best practices," Natanson continued. "Sending an email to people who have opted out could result in a negative impact to an otherwise good sending reputation. Establishing norms and guidelines for how to properly send these kinds of communications arm senders with best practices, ensuring that recipients who need this information have the best chance of receiving it.”
“The simple fact of the matter is that the people who make laws requiring contact via email don't necessarily understand these best practices. Thus industry associations, such as M3AAWG, find ways to make this work through ecosystem dialogue and partnerships.”
Tips for senders
Natanson said that when mandated emails must go out, a company affected by a breach or recall "has very little time to plan a communication,” yet “they must comply with regulations in multiple jurisdictions, all of which require notification to happen as quickly as possible so users, active or otherwise, can take actions to protect themselves. The company then creates an email with the legally required language and information, and sends it to everyone who has ever opted in to receive emails, and those that have opted out too because the law requires everyone to be contacted.”
That's why the M3AAWG is now offering companies "a playbook and game plan for how to do this in as efficient a manner as possible,” she explained. By following these instructions, senders can avoid major missteps that mights otherwise make recipients mistakenly think they are receiving nuisance communications.
According to the M3AAWG's best practices document, companies should first weigh the importance and necessity of sending mandated email messages against “the potentially abusive nature of the messages and how frequently they occurred.” Should senders decide to proceed, the M3AAWG suggests that mandated emails be protected via Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting & Conformance (DMARC) and Transport Layer Security (TLS).
The document also says companies should consult with email service providers (ESPs) about any “technical requirements and solutions to help maximize the message’s effectiveness and minimize its impact on the organization’s IP and domain reputation.” (The guidelines also include separate tips for the ESPs.) Moreover, the sender should communicate with its legal team and regulators as well.
Senders should consider utilizing a new email alias that’s separate from their normal marketing email address; that way, the important message isn’t confused as a typical sales email. The email should come from a recognizable company-branded sender domain, but not a newly registered cousin domain or spun-off variant of the usual domain. Otherwise, “this could run the risk of having no reputation and no sending history, thereby decreasing the likelihood that messages would reach their intended recipients," said Natanson.
"They should send it from their own trusted domain, from the same servers that they have always sent from and are already trusted by most providers," concurred Landewe. "Immediately, hundreds, if not thousands of fake domains will pop up" looking to phish users by imitating the company, he added. But in a genuine email, "All the pertinent details should be publicly available without having to put in credentials."
Regarding content, the subject line should indicate that it’s an important notification from your specific company, and the body should avoid links and marketing content as much as possible, the M3AAWG cautions.
"The simpler the email, the better," said Landewe. "It’s better to tell users that because of potential scams, you should go to our trusted website, which has the information clearly displayed. The message should say: 'Please log into your account for more information,' or 'Log in and check your messages' or 'Log in to your account and look for the Breach Updates link at the top of the page.'"
The M3AAWG also recommends that sender organizations ensure that all their employees keep their communications consistent, and that the same message is also distributed via non-email-based communications, such as websites, text, phone or social media.
But it's not just email communications that can sow confusion. Landewe recalled how Equifax, after its 2017 breach, executed a "textbook example of what not to do: They... created a new website called equifaxsecurity2017.com. It was so easy to spoof that, immediately afterward, someone created securityequifax2017[.]com almost instantly. Then, the Equifax corporate Twitter feed started sending out the fake URL to users."
Meanwhile, the legitimate breach web page was "created hastily and looked fake," Landewe continued. "Some of the fake websites actually looked more legitimate because they stole content from the real Equifax pages. "
Tips for recipients
SC Media asked the M3AAWG if the organization could also offer any recommendations for companies on the receiving end of mandated emails, including security teams responsible for protecting inboxes from spam and malware threats.
Can secure email gateways and filtering solutions be safely configured in such a way that important mandated emails are not filtered out and reach their intended recipient? And how can recipients safely determine if a mandated email is genuine or a threat? (Earlier this year, SC Media reported on how companies can suffer productivity loss when employees fail to respond to legitimate emails out of fear that they could be a scam.)
“The best advice I can offer to receiving organizations is to set up your systems to check for authentication and treat mail accordingly,” said Natanson. “A smart user should always be wary of any message asking for personal info. If a message is properly authenticated from a trustworthy domain, they can feel a bit better about it. If a recipient is unsure, they should reach out to their IT staff.”
Natanson also recommended training for employees to help them recognize legitimate communications from partner organizations. Beyond that, Landewe said that when one of your third-party partner or software providers is breached, a shrewd step is to "reach out to your IT team and notify that some vendors are likely to reach out about a potential breach."
"Another general rule is to remind users to not click on links," said Landewe. For instance, recently, "we found a vaccine-related announcement purporting to be from BioNTech, Pfizer’s partner in its vaccine. In the spam email, they point to a website called biontechvaccines[.]org. But the real website is biontech.de. Alerting users to these types of scams and training them to go to Google instead and find the home page is much safer and effective."
Over the past 15 years, the M3AAWG's members have developed an array of best practices for email recipients designed to ensure legit emails reach their intended inboxes, noted Natanson.
“Additionally, through our meetings, M3AAWG members have created communication paths among peers to help avoid delivery issues," she said. "Neither of these can account for every messaging campaign or operation of course, and so we invite current and interested future members to continue working on initiatives that programmatically create a more assured user experience.”