#VerifiedEmails #FraudPrevention #LegitimateCompanies #EmailSecurity
Have you ever received an email from a legitimate company and wondered why it doesn’t have a “verified checkmark” to help you distinguish it from fraudulent emails? It’s a common concern among many consumers, and the lack of a verified symbol can make it difficult to discern between legitimate and fraudulent emails. In this article, we’ll take a closer look at why legitimate companies’ emails lack a “verified checkmark” and what steps you can take to ensure the emails you receive are authentic.
##Why don’t legitimate companies’ emails have a “verified checkmark”?
Legitimate companies’ emails lacking a “verified checkmark” may seem counterintuitive, especially given the rise in email fraud and phishing attempts. However, there are several reasons why legitimate companies may not have this feature:
###1. Lack of a universal standard
Unlike social media platforms such as Twitter or Instagram, there is no universal standard for verifying the authenticity of emails. While some email providers may offer verified symbols for certain senders, there is no widespread system in place for all legitimate companies to obtain this verification.
###2. Privacy concerns
Obtaining a verified checkmark for emails may require companies to share sensitive information with third-party verification services. As a result, many companies may prioritize protecting their customers’ privacy over obtaining a verified symbol for their emails.
###3. Cost and resources
Obtaining a verified checkmark for emails may also involve additional costs and resources for companies. Small businesses and non-profit organizations, in particular, may not have the means to invest in this feature, making it more challenging to distinguish their emails from fraudulent ones.
##How can customers distinguish legitimate emails from fraudulent ones?
While the lack of a verified checkmark for legitimate companies’ emails may pose a challenge, there are several steps customers can take to ensure the authenticity of the emails they receive:
###1. Check the sender’s email address
Fraudulent emails often come from addresses that mimic legitimate companies, but upon closer inspection, may reveal slight variations or misspellings. Be sure to carefully examine the sender’s email address to verify its authenticity.
###2. Look for personalized information
Legitimate companies often include personalized information in their emails, such as your name or details about your account. If an email lacks personalization or contains generic information, it may be a sign of a fraudulent attempt.
###3. Avoid clicking on suspicious links or attachments
Fraudulent emails often include links or attachments that can compromise your security. Exercise caution and avoid clicking on any links or downloading any attachments from emails that seem suspicious.
###4. Contact the company directly
If you’re unsure about the authenticity of an email, don’t hesitate to contact the company directly through their official website or customer service hotline to verify the information contained in the email.
###5. Use email security features
Many email providers offer security features such as spam filters and sender verification tools that can help identify and block fraudulent emails. Be sure to take advantage of these features to enhance your email security.
##Conclusion
While the absence of a verified checkmark for legitimate companies’ emails may seem perplexing, there are valid reasons why this feature may not be universally available. By taking proactive measures such as verifying the sender’s email address, looking for personalized information, and utilizing email security features, customers can better distinguish legitimate emails from fraudulent ones. In the absence of a verified symbol, it’s essential to remain vigilant and cautious when managing your email communications to safeguard your personal information and prevent falling victim to phishing attempts.
In conclusion, while the !ack of a verified checkmark feature can make it challenging to distinguish legitimate emails from fraudulent ones, customers can take proactive measures to verify the authenticity of the emails they receive. By carefully examining the sender’s email address, looking for personalized information, and utilizing email security features, customers can enhance their email security and protect themselves from falling victim to phishing attempts.
How do you define “legitimate company”?
How do you make sure it’s impossible to fake the “verified” mark?
What if someone gets a scam company “verified” in a country where laws don’t cover that so there’s no way to stop them?
How do you make sure that every email program that exists all simultaneously update to support this new mark?
Short version:
When the basic framework of what has become email was created back in the 60s and 70s, they had no idea that it would eventually be put into global use. They made no real effort to put abuse prevention into it, because the idea of using an academic messaging service for fraud never occurred to them. What we call ‘spoofing’ – faking the sender data for an email to unsuspecting recipients – was not something email’s initial designers had in mind, as messaging required you to have some level of access to the recipients system, which very few people did. As email use grew, it’s first widely used protocol was called [SMTP](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) – Simple Mail Transfer Protocol – and it’s developers kept the lax security measures of the older system, but removed the required access to the recipient. That protocol is what we still use today, 40 years later.
Longer version: they’re working it. Over the few decades, a number of measures have been widely adopted to strengthen security – [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) (sender policy framework) was the first big one, but has proven not to be enough. Since then, we’ve seen [DMARC](https://en.wikipedia.org/wiki/DMARC) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) come along, but until all email services everywhere are using all of the above, spoofing will always be possible. And even once it’s gone, we’ll still be left with the problem of ‘legitimate’ servers and addresses using similar names to existing domains in order to fool people. In those instance, a little ‘I am who I say I am’ flag would still be accurate, they just aren’t who *you* think they are.
Because the way email system works, it’s not possible.
For social media platforms, you have a company at the top who owns the platform and decides what goes and what doesn’t go. They also collect a lot of information from its users so they can verify its own users.
For email system, it’s all decentralised. Your emails go directly to the server of the recipient (roughly speaking). There’s no central authority/body that manages the system.
There’s backend services which do essentially this, and which are used by the major email providers and most enterprise organizations.Â
 That said, it’s not a verification that the company sending you the mail, or the mail itself, is legit; just that it comes from where you’d expect based on the source domains (dns, ips, etc)
Outside of the standard SPF/DMIM/DMARC, there is something called BIMI which I see some companies start to implement which is adding a logo to the emails to help verify them
We do have a system like this – it just isnt visible to the user.
Essentially nowadays we use a system called “SPF”. In short basic terms, if you receive an email from “@microsoft.com” , your mail server will look up the microsoft.com and ask for a list of approved servers from which mail can be sent. It will then check that the email received came from one of those approved servers.
If it doesnt, the email is discarded. (note – **discarded** – it doesnt even appear in your junk folder, which is why you sometimes dont receive emails you were expecting).
Apart from the correct SPF/DKIM/DMARC comments already mentioned, you’re likely noticing this recently because Google and Yahoo are beginning to more strictly enforce authentication and encryption (TLS) for bulk senders. Because of this increased enforcement, some companies may simply not be ready to meet those changes and, as a result, are seeing worse outcomes than they used to.
The best way is to check that the sender’s address and links go to the correct site and email domain(is that the term?) of the company to the letter. Look for amazon.com, not amazom.co.
I believe the checkmark you see in your email is something Google manages. They use a combination of things to check an email is legit before they apply the checkmark: BIMI, which ensures the sources owns the logo in the profile image; VMC, which is a third party verification of the same; and DMARC, which is a combination of two methods of ensuring the person who sent the email owns and operates the address it was sent from (prevents spoofing)
Companies aren’t required by anyone to have all these things, and they can be a lot of work to set up and maintain so sometimes they don’t do it, and don’t have the check, even though they are still legitimate.
Because email isn’t twitter. Twitter is a self-contained platform and can (try to) exercise quality within itself. Email doesn’t work anything like that.
They sort of dont lack that.
But its not something that you as a user will see.
Companies can set up whats called DMARC and other things that ensures that only certain servers are allowed to send out emails claiming to be from the domain owned by the company.
Otherwise an emails sender that youll see is essentially equivalent to putting your senders address on the back of an envelope. You can put any name and sender as you write it with a pen. Its not validated. Its a bit like this with the email senders address that shows up. But under the helmet of that is a system that is able to tell if the senders domain are actually allowed to send emails on behalf of that domain.
Because checkmarks cost $8. That’s not just a Twitter joke; it’s because any person can pay a few bucks to license a real company and a few bucks to host a website and then do bad business from it. I can buy $20 things on Amazon and resell them to you for $35, if you’re gullible enough to trust me. And that’s not even a crime.
There are technology solutions to confirm that an email SAYING it’s from company.com actually IS from company.com. But there’s no tech solution to say that company.com (or “company.site” or “company.co”) is an honest business that will treat you fairly. You can also usually just look at the sender’s address and see that it’s from some jibberish name CLAIMING to be your bank. That IS a crime, and I still get lots of them.
There are technologies that act like a “verified checkmark” service. The technically-best one is called Pretty Good Privacy, and if fully deployed it would have made the world a really different place. Pretty Good Privacy offers a way to sign digital documents, so that you would know that they came from a particular person (or were authorized by a particular company), as well as a (different) way to encrypt documents that only a particular person or company can decode.
PGP was distributed, for free, as open-source software in the late 20th Century and a fair few people adopted it — but nowhere near enough companies ever did. That’s because it costs effort (hence, for a company, both money and customer goodwill) to understand how PGP works, and most companies didn’t want to either spend the effort or discourage customers by complicating the email experience.
So PGP never reached “critical mass” and (at least as a global standard) fizzled.
Because there is no central email system. Each company, business, government, and heck even person can have their own email system as long as it talks SMTP.
There are certainly technological ways to do it. It’s just a challenge to get everyone to use the same thing and trust each email system to use it properly.
Social media sites/apps that use these kinds of checkmarks are a central verifying authority that can decide who is legitimate and who isn’t. The checkmark means nothing outside the individual site and, as we’ve seen with Twitter, the checkmark doesn’t always back up the legitimacy it implies.
Email has no central authority the way these websites do. It’s not run by one single company that can be the arbiter of truth the way social media sites are, so there’s nobody to “give” this hypothetical checkmark.
There is. It’s called PGP. But you need to actually know what you are looking for AND look for the signature. I think few outside of tech geeks have any understanding of how that works, and automated systems have poor context awareness.
I agree there is a problem to solve here, but there are underlying issues around the fundamental way email works. It is designed to be open and promote communication more than anything else.
Every company I work for would have a huge warning stating the email came from outside the company if it wasn’t from a real company email. Is that not standard?
Simple answer: a “verified checkmark” can’t exist in existing email protocol.
Email was designed as very simple with no verification because only few trusted people could send email so why bother. Now everyone can send email and it’s a problem. There are a lot of very complex systems to try to add authentication over the original dumb system but none 100% effective.
Your grandmother will never be more technically adept than the con artists. So anything that will stop them from sending you spam will stop her from sending you a nice note about the flowers she is growing in her garden.
The only proposal I saw that might help was a new network where it cost a tenth of a penny to send an email, and only emails paid for could be received by the network. Note this is per recipient, send an email to 10 people and it is a full cent-which still is unlikely to break you. That system would cost most individuals 10-20 cents a month. But companies that spam customers, even legitimately, would be paying thousands of dollars for it. Once the companies are paying per recipient, they get a lot more targeted in what they send and won’t send something daily.
I think a lot of people would happily put $5 into an account like this to avoid most spam. But it hasn’t gone past the drawing board yet. Probably because a lot of people don’t want to pay for something they can get “for free” despite paying a lot more in time dealing with spam.
“Email was invented by hippies… and hippies suck at security” — Dylan Beattie
That’s quite a tongue-in-cheek way of putting it, but it’s really not all *that* far from the truth. Email is a very old system, and the standards it’s based on simply don’t support any of our comparatively new requirements.
This would force us to rely on a gatekeeper that decides who is legitimate and who isnt. Much like how Twitter was the gatekeeper for their checkmarks and not coincidentally it turned into Pay to Play, these “legitimacy in the eyes of the gatekeeper” systems would naturally turn into questions about how the gatekeepers could use that power to profit.
We DO have this in Outlook now, if the email is [EXTERNAL] to the company it states as such next to the Subject line. This does help you weed out possible fraudulent phishing emails.
Like most computer security issues, this is a case of ease of use vs security.
On the one hand, you want to make sure you can receive email from anyone who wants to talk to you. This means accepting the lowest common denominator when it comes to email security.
On the other hand you want to make sure email is safe and genuine. The more technologies you implement to restrict and verify email, the harder it is for other people to talk to you – they have to implement all those technologies too, which costs time and money.
Every company tries to strike a balance between these two competing requirements.
There is a way to implement a “verified checkmark” for email, based on asymmetric cryptography. This is the same way websites identify themselves to your web browser. Each sender acquires a public cryptography key and a private one. To sign the email, you create what is called a hash of the email contents, and then encrypt that hash with your *private* key (a hash is sort of like a unique mathematical summary of the message). The recipient decrypts the hash using your *public* key and also creates a hash of the email contents and compares it to the encrypted hash you sent. If they match, it proves that you sent the message and that the message was not altered in transit. The reason this isn’t widely used is because of the effort and expense involved.
Verified by who? There is no single organization that controls email, and if there was, they’d have to work with the developers of every email client to get such a feature implemented.
There are already ways to cryptographically sign emails, but it requires the recipient to have some independent method of verifying identity.
It’s because that check mark costs businesses money, in a sector many don’t quite understand yet. It’s also semi-difficult to implement properly as there are a lot of regulations you have to consider on top of implementing S/MIME
I wish they would just charge for email.
Maybe $.01 (or $.001) per email. Enough that businesses could afford it (I would pay that much to have it not go to spam), and too expensive for spammers.
Email is the lowest priority on networks.. and is unsecured.
The check mark, is meaningless.
You can always copy the email headers and paste them here to see if the sender’s domain has set up authentication and whether the specific email you received is in compliance with authentication. https://mxtoolbox.com/EmailHeaders.aspx