News
Georg C. F. Greve

Proof Positive Scam Detection

Can it really be possible to recognize every single scam? Let me tell you how your protection works right now, and how you can improve it today.

Reputation is the key to our heart. We shoot the messenger because we expected better from them. The reason we place our trust in the messenger is simple: It is too exhausting to verify each individual message. Imagine you were selling your house for cash. Would you have the bills checked? What if the buyer was your lifelong best friend and they told you they got them fresh from their bank? Didn’t your distrust just decrease with each additional layer of reputation added?

Email protection today works a lot like that. You trust your email provider to keep you safe. And your email provider tends to trust messages from other email providers for you if that provider looks good. In this case, being trustworthy means their servers are well configured, their domain name service (DNS) records are well kept and secured, and they follow all the best practices.

There are also many technical specifications to follow, and they have complicated technical names and acronyms like DKIM – standing for “Domain Key Identified Mail” – or SPF, which is the short-hand for “Sender Policy Framework.” Both are frameworks that come together in the “Domain-based Message Authentication, Reporting & Conformance” policy, which abbreviates to DMARC.

All these standards have one single goal: To allow mail servers to decide which other mail servers to trust. But if applied rigorously, these frameworks will also stop and delete a lot of good mail that should have arrived at the recipient.

Just imagine this in the real world and if for every 10 letters you sent, only 6 would reach their destination. I guess you would have some choice words for your postal service then.

It is for good reason that mail providers use these principally as indicators. Many users have partially disarmed these mechanisms because they believe the damage of losing important email is the bigger risk. So, email providers try to use pattern recognition and AI to analyze your email and understand whether it is likely real or fraudulent.

Such systems are very fragile and find themselves in a very asymmetric risk and reward scenario. Scammers only need to fool them once to reach millions of users, which is what appears to have happened to Microsoft Office365 recently:

Phishing campaign spoofs Microsoft domain. Is lack of DMARC to blame?

So, should they trigger much earlier and more aggressively? Only if you are willing to accept a totally unreliable email provider. Some mails arrive, others don’t. It seems completely random, and you will have no idea what you missed. Sometimes you may find out later that you missed an important email; other times, you won’t.

All these systems work on a balance between false positives, messages that were incorrectly flagged as scam, and false negatives, scam messages that the system missed. Shift the balance aggressively toward avoiding false negatives at all cost and the number of false positives shoots up dramatically.

So filtering is necessarily only partially effective. This is why so many people have high hopes for universal DMARC adoption: Each mail server could then make sure the other mail server is legitimate and supposed to communicate on behalf of an organization. Will we ever get to this point? Hopefully, but I dare not predict when because old habits die hard. Just look at the number of fax machines still in operation.

And once this goal has been achieved, what is next? Mail servers are still only messengers. This brings us back to the beginning of the article. Should we blindly trust each message because it seems to have come via a trustworthy messenger? And what do we know of the process that made the messenger accept the message in the first place?

The best we can hope for with traditional approaches is to make sure the messengers are mostly trustworthy and filter out some of the scam that still makes it through. It will be gradually better than what you know today – but not radically so.

For a radical improvement, we would need a way that secures each individual message as it is being handled by the messengers. That’s been impossible so far, mostly because there has been no way to verify the sending side as it was hidden behind its messenger. Vereign Seal fundamentally changes that.

With this new approach, each message gets its own cryptographic seal to protect the message’s authenticity and integrity. Each seal encodes all the necessary information to verify its message and access additional sender and recipient records, with built-in blockchain protection against tampering and manipulation. This is the same technology that makes Bitcoin secure against forgery, and now protects each of your messages.

Added to each message as a QR Code, a Vereign Seal allows to bring up a web verification app that unlocks the seal, obtains all the available records, verifies them against the blockchain, and displays the result. Available as add-ins for Office365 and Gmail, you can also verify each Vereign Seal against the blockchain right in your inbox.

Likewise, the add-ins can seal each message locally in your browser before sending them off via Gmail and Office365. This also works locally on your desktop or mobile with up-to-date versions of Microsoft Outlook

The Vereign Seal also supports and helps enhance our messengers, the many different email servers, by allowing them to seal each message as it passes through, effectively testifying to the recipient each message has been locally checked, verified, and sent off correctly. Receiving messengers can also testify having received a sealed message correctly and let the sender know that the message has been accepted.

But what if someone tried to mislead users by adding a false Vereign Seal that led to a fake landing page?

Like a 3-year-old’s drawing of a banknote would be obvious to you, such a fake seal would be immediately obvious to each add-in and messenger that receives such a mail. There would be no doubt this message is a scam. It cannot result from misconfiguration or honest mistakes. There are no false positives.

For the first time, 100% Proof Positive Scam Detection is possible. But it gets better. Such falsified seals can trigger tripwire alerts, allowing for countermeasures and appropriate responses. No scam undetected. For would-be scammers, staying far away from Vereign Seal is their last, best hope of success.

This is why you should install it right away and also ask your friends to do the same.