The new report is titled “Email Fraud Landscape: BEC explodes as attackers exploit email’s identity crisis”, and the Valimail analysis surveys the current vulnerabilities impacting on businesses. BEC represents “business email compromise.”
A key risk identified in the report comes from impersonation. The collated date finds that in most industry categories, less than 10 percent of enterprise domains are protected from impersonation, leaving more than 90 percent of companies vulnerable.
Measures are in place to address this. With DMARC (Domain based Message Authentication, Reporting, and Conformance) and related authentication standards, domain owners can publish text files in the Domain Name System (DNS) specifying policies for how mail receivers should handle unauthenticated email that appears to come from their domains.
One continuing concern is, however, that with DMARC, even when it is used, is usually not deployed with an enforcement policy (one that directs mail receivers to keep unauthenticated email out of recipients’ inboxes). Deploying a DMARC record does not automatically confer protection against impersonation.
The report finds there are 850,000 domains worldwide now have DMARC records, which is a five-fold increase since 2016. Yet, less than 17 percent of global DMARC records are at enforcement, meaning fake emails that appear to come from those domains are still arriving in recipients’ inboxes.
In addition, 93 percent of U.S. government DMARC records are at enforcement, compared to less than half of large U.S. tech companies whose DMARC records are at enforcement This means that further efforts need to be enacted by businesses to build robust sender identity solutions to address the identity crisis for email.
Commenting on the report, Alexander García-Tobar, CEO of Valimail states: “The identity crisis of email has never been more apparent. Phishing is implicated in more than 90% of all cyberattacks, and the vast majority of phishing emails leverage impersonation. This is only possible due to email’s lack of robust sender identity validation.”