Fake email is at the heart of cybersecurity risk — yet many companies are still not using well documented and open standards-based technologies that could protect themselves.
A quick look at the stats will reveal just how critical this is. Fake email lies behind the 60 percent jump in business email compromise (BEC) losses in 2018 reported by the FBI. It’s behind the wave of fake GDPR privacy notifications in the past year. It’s the technique used in as much as two-thirds of all phishing attacks — and phishing, as you’ve no doubt heard from multiple sources, is involved in over 90 percent of all cyberattacks.
In other words, fake email is not just a nuisance — it’s a serious problem.
To measure the impact of this threat, and to assess the world’s progress in using countermeasures such as email authentication, Valimail examined the DMARC records published by thousands of companies worldwide, grouped into 11 different categories. Our research program is now in its third year, and for most of these categories we now have data covering well over a year.
Steady Growth in DMARC
The picture that emerges is clear: The use of email authentication is growing steadily in every industry sector — and much more rapidly in the federal government, where its use was mandated by an October 2017 directive from the Department of Homeland Security called BOD 18-01.
The federal government is also an outlier when it comes to the second critical component of the solution: Configuring DMARC to a policy of enforcement. Among federal domains that have DMARC records, 87 percent specify an enforcement policy.
Enforcement is where the rubber meets the road: It is only with an enforcement policy that a domain is actually protected from fake email. Unfortunately, outside of the federal government, the effectiveness rate at getting DMARC policies to enforcement remains disturbingly low.
Across many industry sectors we see a consistent enforcement rate of around 20 percent. In other words, out of every five domains deploying a DMARC record, only one will get to a policy that protects the domain from impersonation.
You can get all the detailed stats in our Q4 Email Fraud Landscape. And read on for our official press release on the report.
Global Fight Against Fake Email Intensifies, But Many Domains Still Aren’t Implementing Standard Protections – Report
Federal agencies, Fortune 500 and U.S. tech firms lead in use of email authentication technologies
SAN FRANCISCO, February 1, 2019 -- U.S. federal government agencies and many major enterprises have made significant strides to thwart the spread of fake emails, a major cybersecurity attack vector. But many organizations remain susceptible because they’re still not using readily available open standards-based technologies that prevent these fakes from reaching end-user inboxes.
That’s the main conclusion of an exhaustively researched report released today by Valimail, the world's only provider of fully automated email authentication. Valimail’s “Email Fraud Landscape, Q4 2018” indicates that the fight against fake email is advancing around the world — but email fraud remains a widespread and pernicious problem. In fact, the report notes, fake emails were a key driver in the 60 percent jump in business email compromise (BEC) losses in 2018 as reported by the FBI.
The Valimail report — now in its third year — distilled and analyzed proprietary data based on billions of email message authentication requests, along with an analysis of millions of publicly accessible domain name system (DNS) records. It found that many organizations and agencies aren’t implementing basic preventive measures, starting with Domain-based Message Authentication Reporting & Conformance (DMARC) and Sender Policy Framework (SPF) records.
Email authentication standards need more adoption
“Fake emails — primarily email impersonation phishing attempts — continue to proliferate because, unfortunately, they work and are childishly easy to deploy. Executives, employees, and clients continue to click, send confidential information, share IP, and make bank transfers to the bad guys — all because of a lack of basic authentication,” said Alexander García-Tobar, CEO and co-founder of Valimail. “These attacks are absolutely preventable. We therefore applaud those organizations that have implemented email authentication based on open standards such as DMARC — which, when properly configured, can stop the most convincing fake emails dead in their tracks. We urge all domain owners and security leaders to adopt these standards and configure them correctly and completely, as quickly as possible, to ensure their own employees cannot be spoofed by cybercriminals.”
The Valimail report discovered several encouraging signs regarding the adoption of email authentication standards, including:
- 80 percent of all U.S. federal domains have published a DMARC record — up from 50 percent in 2018 (the result of a federal mandate).
- 87 percent of federal domains that deploy DMARC have successfully configured it to enforcement — a standout success rate.
- At least 50 percent of Fortune 500 and large U.S. tech companies have adopted DMARC.
- Nearly 30 percent of healthcare companies are using DMARC — more than double the rate in late 2017.
- Global media entities, NASDAQ-listed companies and global billion-dollar public companies rank the lowest in DMARC enforcement among the 11 categories surveyed.
Email lacks built-in authentication provisions that can authenticate a legitimate sender’s identity. That makes it easy to ‘spoof’ the sender’s address. Without email authentication standards such as DMARC, malicious actors don’t need to compromise accounts to send emails that impersonate friends, coworkers, banks, government agencies and other trusted sources.
DMARC — properly configured — prevents fake emails from reaching inboxes
Popularly known as “spear phishing,” identity deception is used in at least 90 percent of all cyberattacks, according to several sources cited in the Valimail report. The sender uses a fake “from” address, a deceptive domain or a display name that usually impersonates someone else — even the email recipient. When DMARC is configured to quarantine or reject suspicious emails, anyone who attempts to send email “as” a DMARC-enforced domain will fail unless that sender has been authorized by the owner of that domain. In other words, the messages won’t reach the intended user inboxes.
The entire Valimail “Email Fraud Landscape, Q4 2018” report can be accessed here.