February 1, 2023 Request to Credit Card Companies, etc. to Bolster Anti-Phishing Measures

The Ministry of Internal Affairs and Communications (MIC), the National Police Agency (NPA), and the Ministry of Economy, Trade and Industry (METI) today issued a request to credit card companies and the like to bolster their anti-phishing measures, such as introducing DMARC^*. The move comes in response to an increase in cases of people falling victim to phishing, which is one cause of the fraudulent use of credit card numbers and other details.

1. Background

Phishing attacks have become a frequent occurrence of late. Phishing refers to an attack in which a third party with malicious intent sends a user an e-mail, etc. disguised as a communication from a credit card company, etc. containing a link that takes the user to a fake website in order to fraudulently acquire the user's credit card number and other details.
As the fraudulent acquisition of credit card numbers and other details via phishing is one cause of the fraudulent use of credit card numbers, etc., credit card companies, etc. must address the issue appropriately in order to protect users.
Above all, in light of the large number of phishing e-mails sent from spoofed domain names, it is vital for companies to introduce DMARC--a form of technology for authenticating the sender's domain regarded as particularly effective against phishing e-mails--to detect domain spoofing, and thereby restrict the number of phishing e-mails users receive by ensuring that e-mails disguised as communications from that company do not reach the user.
Given this situation, MIC, the NPA, and METI have issued a request to credit card companies and the like to bolster their anti-phishing measures.

• *
  DMARC: Domain-based Message Authentication, Reporting, and Conformance. A form of technology for authenticating the domain of an e-mail's sender.

2. Outline

1. Combating spoof e-mails via the introduction of DMARC

• Introduce DMARC for all domain names disclosed to users (including domain names not used for sending e-mails).
• When introducing DMARC, ensure it operates on a policy of rejecting receipt of the spoof e-mail on the recipient's side.

2. Other anti-phishing measures

• Implement other measures deemed effective in combating phishing, as described in the Anti-Phishing Guidelines formulated by the Council of Anti-Phishing Japan.