Everyone's blood runs cold when we receive an email from the Treasury. But it may happen that the person who writes you is not the Tax Agency. Or that this message from the Post Office is not such. And so on up to more than 700 email domains of the Spanish Administration that can be used by cybercriminals to deceive you through phishing or identity theft techniques.
Phishing or identity theft can reach us through a WhatsApp message. Or by opening a fake web page or in a email message . Its purpose is to extract personal data or obtain money through deception or extortion. There are ways to unmask this type of fraud, but detecting a case of phishing is complicated when you receive an email with the domain of the Post Office, the National Police, the Tax Agency or the Ministry of Foreign Affairs.
These are just some examples of email domains out of a total of 772 domains of the Spanish Administration that have been analyzed by the Web Security Observatory . This study expands its Web Segura project that we saw previously. After analyzing the public web to see if it was really safe for the user, his next big study consisted of checking if the e-mail domains of Spanish public bodies are safe. Or if they could be victims of a phishing attack or identity theft against Spanish citizens .
And it is not the same that you receive an email with a strange or unknown domain than an email of the type @ Correo.es, @ sede.sepe.gob.es or @ Agenciatributaria.es to cite the most common examples in phishing scams.
Almost 97% of domains are vulnerable
We have all received a fraudulent email message at some time. Who sends it claims to be Microsoft, Facebook, your bank or the Tax Agency. But looking at certain details, it is seen that they are not real. The best, ignore them and delete them . But some are more successful than others and there are some who manage to fool anyone.
One way to get very realistic fraudulent emails is by using the official domain of the Spanish Administration through which cybercriminals pose. But although there are ways to prevent it , in Spain this is not usual.
Those responsible for the Web Security Observatory have carried out a analysis of public emails from dozens of public bodies and institutions in Spain at the state, regional and local level. Out of a total of 772 domains analyzed , only 25 of them are safe against identity theft. The rest, 747, are vulnerable and could be used in phishing attacks against the population or against the Administration itself.
The list of safe and vulnerable domains can be consulted at this link. For its classification, the Observatory has taken into account how these domains are configured . Specifically, whether or not they have implemented security measures against phishing such as SPF or DMARC .
How to prevent identity theft?
SPF is the acronym for Sender Policy Framework . In Spanish, Senders Agreement. As Wikipedia explains, “it is a protection against address spoofing when sending e-mail. Identifies, through domain name records (DNS), the SMTP mail servers authorized to transport messages. This agreement seeks to help reduce abuses such as spam and other evils of e-mail ”.
The other prevention measure against phishing or identity theft is DMARC . It is the acronym for Domain-based Message Authentication, Reporting and Conformance . In Spanish, Message Authentication Based on Domains, Reports and Compliance. Going back to Wikipedia, “it's an email authentication mechanism. It has been designed to give email domain owners the ability to protect their domain from unauthorized use ”.
In short, the Spanish public administration has a lot of work to do to deal with online security issues. Something of vital importance. Especially when we talk about supplanting the identity of entities as important as the Post Office, the Treasury or the National Police itself.
You will find more information about the Web Security Observatory on its official page. There you will be able to consult the analysis on the security of the Spanish public Web and its most recent project, the analysis of the security of public emails.