When
Homeland Security told all federal government departments last year to roll out
a new email security policy to cut down on incoming spam and phishing emails,
three-quarters of all federal domains were compliant by the time of their
deadline just a few weeks ago.
That’s far
more than what the Fortune 500 accomplished in the same period.
New data
from Agari shows that just half of the Fortune 500 have deployed DMARC — or
domain-based message authentication, reporting, and conformance policy. Email
systems use DMARC policies to verify the identity of an email sender, ensuring
that it’s not impersonating another domain. Depending on the DMARC settings, an
email system can either monitor, quarantine or entirely reject spoofed emails,
helping to cut down on the number of phishing emails that land in your
corporate inbox.
The data
shows 51 percent of the Fortune 500 — the world’s wealthiest companies — are
now using DMARC. That’s an improvement from about one-third a year ago, but it
still trails behind the federal government’s DMARC adoption.
But only 13
percent of those companies are employing a quarantine or reject policy — which
actively intercepts spoofed emails and marks them as spam or bounces them from
a user’s inbox altogether.
According to
Agari’s breakdown: Aetna, American Express, Bank of America, Capital One,
Facebook, Fedex, Microsoft, Netflix, PayPal, UPS and Wells Fargo ranked among
the companies with the strongest DMARC policy.
Boeing, CBS,
Discovery, Exxon Mobil, Frontier, JetBlue, NetApp, Time Warner Cable
(Spectrum), Prudential, Viacom and Xerox are some of the worst contenders with
no record whatsoever.
Agari, which
has a commercial stake in the email security business, said that having a
well-configured DMARC policy “cannot be overstated.”
Scammers
often use spoofed emails to try to trick companies into sending back sensitive
taxpayer information or other corporate secrets. Known as the “W-2 phishing
scam,” legitimate-looking emails try to obtain W-2 tax forms of employees so
that the scammers can file fraudulent forms during tax season in order to
obtain hefty refunds. The FBI says these scams cost businesses $12 billion a
year.
But DMARC is
meant to weed out the bulk of those spoofed emails. According to Agari, one of
its customers — a global e-commerce firm — was getting millions of impersonated
emails per day, spoofing the company’s “from” domain to make it look like the
real deal. After the company implemented its new DMARC policy to reject spoofed
emails, the number went down by 99 percent.
“The damage
from these attacks has ballooned into billions of dollars annually—however the
real cost is the erosion of trust in digital business,” said Agari’s Armen
Najarian.
Comments