Very Few Large Organizations Taking a Simple Step to Defend Against Phishing

Phishing emails are one of the most basic attack vectors for hackers. For example, Proofpoint revealed how hackers are targeting restaurant chains by using simple phishing emails to deliver complex malware. And then there is the warning from the IRS about a phishing scam that spoofs the emails of company executives requesting W2 forms. Finally, CSO warned that phishing emails looking for password information are a top cyberattack almost everyone will face at some time.

I’m sure you have your own phishing email story. It’s such a ubiquitous attack style that I don’t know of anyone who has been able to avoid them. That’s why recent research from Agari is so surprising. The Agari research finds that 92 percent of U.S. Fortune 500 companies have left their customers, partners and brand names vulnerable to domain name spoofing, one of the most common digital deception attack vectors. Despite the always present threat of phishing emails – and the more sophisticated and highly targeted spearphishing and whaling emails – the vast majority of organizations are too slow to adopt an email authentication standard called Domain-based Message Authentication, Report & Conformance (DMARC), leading Patrick Peterson, founder and executive chairman of Agari, to say in a formal statement:

It is unconscionable that only eight percent of the Fortune 500, and even fewer government organizations, are protecting the public against domain name spoofing. Phishing and other forms of digital deception are preventable, and the first step is for our largest companies and organizations to deploy DMARC, a highly-effective open standard.

DMARC validates an email’s authenticity and verifies the sender, which then decreases the ability of a hacker to spoof anyone within that organization. Yet, according to the report, only 8 percent of the companies in the Fortune 500 are enforcing DMARC with a quarantine or reject policy, while 24 percent have adopted a minimal DMARC policy that monitors, but does not prevent, domain name spoofing.

And before you think that it is only enterprise that is ignoring this basic form of phishing protection, ZDNet reported that the government has its problems, too:

Even government departments, like Homeland Security — charged with protecting the US cyberspace, don’t use the email validation system. Sen. Ron Wyden (D-OR) criticized the department’s policy in July, calling an implementation of DMARC “a no-brainer that increases cybersecurity without sacrificing liberty.” A month later, Homeland Security still hasn’t rolled out DMARC.

The report doesn’t look at SMBs, as this was targeting Fortune 500 companies, but I’d be willing to guess that if large corporations aren’t implementing DMARC, SMBs are also lagging behind. I agree with the observation of Shehzad Mirza, director of Operations of Global Cyber Alliance, who said in a formal statement:

DMARC is an essential tool that helps prevent spam, phishing and data loss. GCA urges organizations of all sizes to embrace this technology standard to eliminate direct domain spoofing.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba