98% of financial services companies vulnerable to email impersonation
In April, the five largest banks in the U.S. adopted email authentication through DMARC, giving their customers, employees, and partners the ability to trust emails they send.
That was a timely move: In the midst of a historic explosion of phishing attacks and email impersonation exploits and a post-Equifax spike in phishing emails that impersonate banks, email authentication is an effective response. It completely forecloses the ability for hackers to use a company’s domain in emails, limiting the domain’s use to authorized senders only.
So it’s encouraging that among the largest companies, adoption and enforcement of email authentication has been growing.
Unfortunately, progress toward trusted email in the financial industry at large has been slow. Valimail recently analyzed 8,849 domains for financial services and insurance companies to understand how they are using email authentication.
Valimail’s analysis reveals that just 2.26 percent of more than 4,700 financial services domains are currently protected by email authentication through DMARC at enforcement (meaning that any messages which fail to authenticate will be deleted or sent to spam).
That number is higher for the 600 largest companies in the dataset, with 5.19 percent of that group protected by email authentication. For the rest, the rate hovers around 1.8 percent.
The rate is worse in the insurance industry: Of the more than 4,000 insurance company domains we analyzed, 1.85 percent are protected by email authentication enforcement.
It’s not for want of trying: Taken together, about 10 percent of the financial services domains and insurance domains have attempted email authentication by inserting a DMARC record into DNS.
However, for the vast majority, their DMARC record is just a data-collection tool, with no enforcement. Between 80 and 85 percent of these companies have failed to get to enforcement, either because their DMARC records contain errors or because they are stuck at a policy of “none,” which directs receiving email servers to continue delivering all email that appears to come from the domain, even if it fails authentication.
That leaves just about 2 percent of companies that have attempted email authentication with DMARC and completed implementation to the point where they are protected from impersonation attacks.
Without authentication, the rest of the companies’ domains remain vulnerable to impersonation. In a world where hackers impersonate banks and insurance companies on a daily basis that is a dangerous vulnerability.
In short, financial services and insurance companies are leaving their front doors open to thieves and fraudsters. It’s time to shut the door.
Note: Valimail co-founder and CEO Alexander García-Tobar will be presenting this data in a talk titled “Why Do Less Than Five Percent of U.S. Financial Institutions Achieve Successful Email Authentication?” at the FS-ISAC Fall Summit, a financial industry gathering in Baltimore happening this week. If you’re there, you’ll have three chances to catch his 15-minute presentation today, October 3, between 5 and 6pm.