Banks need to implement e-mail authentication protocols to help prevent e-mail fraud. Specifically, a bank should publish its Sender Policy Framework (SPF) record (a technical standard that helps prevent sender address forgery); implement cryptographic solutions, such as digital signatures and encryption; and control and monitor its brand domain names. Internet service providers (ISPs) often reject e-mail from derivative domains, so banks should standardize "from" lines.
Banks also should empower the customer/recipient in the fight against e-mail fraud. To do this, banks should provide easy and conspicuous access to preference pages and their privacy policies, allowing recipients to understand and control their preference information, including the ability to opt out or change messaging frequency and content. In addition, banks should incorporate e-mail change-of-address links and preference selection information in all messaging.
From a detection perspective, while many banks have incorporated fraud and spoofing education content onto their Web sites, they also should allow customers to report and/or submit suspicious e-mails. Banks should also implement internal systems to publish and communicate legitimate and fraudulent messaging to critical frontline employees who respond to customer questions/concerns.
There are two major initiatives that have been developed to address the requirement that senders of e-mail are authenticated: the Sender ID Framework (SIDF) and Domain Key Identified Mail (DKIM). The former is championed primarily by Microsoft and AOL, the latter by Yahoo and Google. Both provide a foundation for distinguishing legitimate e-mail, and thus a means of associating a verifiable identifier with a message.
While SIDF and DKIM fulfill a role in the sifting of wheat from chaff, a number of third-party solutions have been brought to market with the specific aim of providing some form of certificate of authenticity for delivered e-mails. A common characteristic of these solutions is to provide some form of mark for the end user to visually illustrate that an e-mail is trustworthy, such as a sealed envelope or a padlock.
Finally, to maximize productivity, banks should provide internal training on using e-mail; publish e-mail policies and best practices, including processes to assure the white-listing that is critical to business-to-business e-mail; and implement spam filtering solutions at the server level to reduce employee in-box clutter.