Global fight against fake email intensifies
Fake email is at the heart of cybersecurity risk — yet many companies are still not using well documented and open standards-based technologies that could protect themselves.
A quick look at the stats will reveal just how critical this is. Fake email lies behind the 60 percent jump in business email compromise (BEC) losses in 2018 reported by the FBI. It’s behind the wave of fake GDPR privacy notifications in the past year. It’s the technique used in as much as two-thirds of all phishing attacks — and phishing, as you’ve no doubt heard from multiple sources, is involved in over 90 percent of all cyberattacks.
In other words, fake email is not just a nuisance — it’s a serious problem.
To measure the impact of this threat, and to assess the world’s progress in using countermeasures such as email authentication, Valimail examined the DMARC records published by thousands of companies worldwide, grouped into 11 different categories. Our research program is now in its third year, and for most of these categories we now have data covering well over a year.
Steady Growth in DMARC
The picture that emerges is clear: The use of email authentication is growing steadily in every industry sector — and much more rapidly in the federal government, where its use was mandated by an October 2017 directive from the Department of Homeland Security called BOD 18-01.
The federal government is also an outlier when it comes to the second critical component of the solution: Configuring DMARC to a policy of enforcement. Among federal domains that have DMARC records, 87 percent specify an enforcement policy.
Enforcement is where the rubber meets the road: It is only with an enforcement policy that a domain is actually protected from fake email. Unfortunately, outside of the federal government, the effectiveness rate at getting DMARC policies to enforcement remains disturbingly low.
Across many industry sectors we see a consistent enforcement rate of around 20 percent. In other words, out of every five domains deploying a DMARC record, only one will get to a policy that protects the domain from impersonation.