Phishing alert: 80% of companies lack DMARC policies to protect against spoofing

Despite being the industry standard for email authentication to prevent cyberattacks, DMARC policies aren't implemented by most companies , according to 250ok.

Why phishing remains a critical cyber-attack vector Spear phishing emails targeting business users are so well-crafted they should be called "laser" phishing attacks, says Microsoft's Cybersecurity Field CTO Diana Kelley.

DMARC (or Domain-based Message Authentication, Reporting & Conformance) is an email authentication policy and reporting protocol, aimed to better protect domains against fraudulent emails. However, nearly 80% of websites have no DMARC policy in place, increasing the odds that their domain will be spoofed and used for phishing attacks on customers, according to 250ok's Global DMARC Adoption 2019 report, released Tuesday. This is particularly concerning as 91% of all cyberattacks begin with a phishing email, the report noted. 
 
DMARC is considered the industry standard for email authentication to prevent attacks in which hackers send malicious emails via counterfeit web addresses, the report said. 

SEE: Phishing attacks: A guide for IT pros (free PDF) (TechRepublic)

"Given the information available on the risks associated with leaving your domain unprotected, it's shocking the number of brands that still don't understand the importance of DMARC," Matthew Vernhout, director of privacy at 250ok, said in a press release. "Until we reach a place where email receivers require proper authentication on all emails, including DMARC implementation, the onus is on brand leaders to keep their customers and employees safe from phishing."

The report analyzed 25,700 domains controlled across education, ecommerce, Fortune 500, US government, international nonprofits, financial services, the top 100 law firms, the SaaS 1000, and more. 

Of these, Chinese companies were the least likely to adopt any DMARC policy, with 94% of domains having no policy in place, the report found. Nonprofits also overwhelmingly failed to adopt DMARC (91%), despite the fact that they store significant amounts of personal data about donors and volunteers. Only 23% of Fortune 500 companies have some form of DMARC policy on the books as well, the report found. The SaaS 1000 was the best non-public vertical surveyed—out of the 1,000 domains examined, only 54% did not have a DMARC policy. 

For more, check out Why you need to use DMARC and SPF on mail servers to prevent phishing and fraud on TechRepublic. 

Also see 

Credit card phishing

Image: iStockphoto/weerapatkiatdumrong

By Alison DeNisco Rayome

Alison DeNisco Rayome is a Senior Editor for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.