Failing to Protect Customers From Phishing: Agari
San Mateo, Calif.-based cybersecurity firm Agari’s research revealed an anxiety stemming from phishing’s growing threat and the slow adoption of the email authentication standard called domain-based message authentication reporting and conformance.
The research, “Agari Global DMARC Adoption Report: Open Season for Phishers,” revealed 92% of U.S. Fortune 500 companies have left their customers, partners and brand names vulnerable to domain name spoofing, one of the most common digital deception attack vectors.
“It is unconscionable that only eight percent of the Fortune 500, and even fewer government organizations, are protecting the public against domain name spoofing,” Patrick Peterson, founder and executive chairman, Agari, said “Phishing and other forms of digital deception are preventable, and the first step is for our largest companies and organizations to deploy DMARC, a highly-effective open standard.”
The report described how digital deception emails trick users into clicking on websites that steal their passwords, install ransomware or con unsuspecting victims into sending money. This type of fraud represents billions of dollars in losses per year and is completely preventable if organizations adopt an open standard called DMARC.
When a company implements DMARC, there are three levels of policies applicable to their domains:
- Monitor– Unauthenticated messages monitored but still delivered to the inbox
- Quarantine – Unauthenticated messages moved to the “Spam” or “Junk” folders.
- Reject – Unauthenticated messages blocked and not delivered to any folder
Agari research found fewer than 10% of the Fortune 500 have deployed a DMARC policy to prevent digital deception; 15 companies (three percent) have a quarantine policy and 24 companies (five percent) have a reject policy. Only four industry sectors achieved a majority adoption rate: business services (60%), which include payment processors and credit card companies; and financials (57%), which include financial institutions and stock portfolios; technology (55%); and transportation (53%).
However, the research strongly suggested while business services, financials, technology and transportation have a majority adoption rate; these are sectors most likely targeted during phishing attacks. The report disclosed. “Even among these early adopters, the majority of their deployments are ‘p=none,’ which does nothing to prevent these attacks. DMARC adoption is of little use, unless organizations move to a quarantine or reject policy.”
Key report findings include:
- Corporations are failing to rapidly adopt DMARC. Only 39 Fortune 500 companies enforced DMARC with a quarantine or reject policy. An additional 24% adopted a minimal DMARC policy that monitors, but does not prevent domain name spoofing, while 337 companies (67%) have not adopted DMARC at all. DMARC adoption rates are similarly weak among companies in the United Kingdom’s FTSE and Australia’s ASX 100.
- DMARC dramatically decreased digital deception. Agari demonstrated how DMARC prevented delivery of more than 100 million fraudulent email messages in 24 hours.
- Early adopters realized the benefits of DMARC. Within the Fortune 500, only the financial, business services, technical and transportation sectors have a majority DMARC adoption rate. Generally, these are the sectors that have seen digital deception compromise email, such as credit cards and financial accounts, among other valuable accounts. The financial sector has taken a proactive approach to protecting itself from these types of attacks, with organizations including Financial Services Information Sharing and Analysis Center and BITS, the technology policy division of the Financial Services Roundtable.
DMARC developed in 2007 from a pilot program between PayPal and Yahoo! to eliminate phishing emails. Agari explained as a founding member of DMARC, the cybersecurity firm worked with the largest email account hosts (AOL, Comcast, Google, Microsoft and Yahoo!) to protect the receipt of email since January 2012. “DMARC virtually eliminates domain name spoofing and its associated attacks including phishing when DMARC policies are set to quarantine or reject unauthenticated email,” the report said.
“Unfortunately, DMARC adoption is stagnant within the Fortune 500, enabling malicious actors to abuse that trust and leaving corporations unprepared to prevent it,” the report stated.