Global DMARC adoption still slow, it’s open season for phishers
92 percent of U.S. Fortune 500 companies have left their customers, partners and brand names vulnerable to domain name spoofing, one of the most common digital deception attack vectors, according to Agari.
“It is unconscionable that only eight percent of the Fortune 500, and even fewer government organizations, are protecting the public against domain name spoofing,” said Patrick Peterson, founder and executive chairman, Agari. “Phishing and other forms of digital deception are preventable, and the first step is for our largest companies and organizations to deploy DMARC, a highly-effective open standard.”
DMARC emerged in 2007 from a pilot program between PayPal and Yahoo! to eliminate phishing emails. DMARC virtually eliminates domain name spoofing and its associated attacks including phishing when DMARC policies are set to quarantine or reject unauthenticated email.
Analyzing DMARC policies
Agari analyzed the DMARC policies of the corporate domains of the Fortune 500, FTSE 100 and ASX 100 and their key findings include:
Corporations are failing to rapidly adopt DMARC – Only 39 of the companies in the Fortune 500 are enforcing DMARC with a quarantine or reject policy. An additional 124 have adopted a minimal DMARC policy that monitors, but does not prevent domain name spoofing, while 337 companies have not adopted DMARC at all. DMARC adoption rates are similarly weak among companies in the United Kingdom’s FTSE and Australia’s ASX 100.
DMARC decreases digital deception – Agari demonstrates how DMARC prevented delivery of more than 100 million fraudulent email messages in 24 hours.
Early adopters have realized the benefits of DMARC – Within the Fortune 500, only the business services, financial, technical and transportation sectors have a majority DMARC adoption rate. Generally, these are the sectors that have seen digital deception compromise email, credit cards and bank accounts, among other valuable accounts. The financial sector, in particular, has taken a proactive approach to protecting itself from these types of attacks, with organizations including Financial Services Information Sharing and Analysis Center (FS-ISAC) and BITS, the technology policy division of the Financial Services Roundtable (FSR).