A new study by 250ok has revealed that 87.6 percent of the root domains operated by top e-retailers in the United States and European Union are putting their brands and consumers at risk for phishing attacks.
SPF and DMARC
Phishing and spoofing attacks against consumers are most likely when companies don’t have a published Sender Policy Framework (SPF) or Domain-based Message Authentication, Reporting and Conformance (DMARC) policy properly in place. SPF is an email validation system that detects spoofing attempts, or a third party that disguises itself as a particular sender using a counterfeit email address. DMARC is considered the industry standard for email-validation to prevent such attacks.
Lack of security can lead to abuse
The report, which analyzed 3,300 domains of the top 1,000 US internet retailers and top 500 EU internet retailers by revenue, reveals that the majority of retailers currently use some level of email authentication on their domains. However, many are inconsistent in their approach across all the domains they control.
Only 11.3 percent of top US retailer domains and 12.2 percent of top EU retailer domains meet 250ok’s recommended minimum protocol for the email channel:
- Publish SPF records for all domains
- Ensure SPF records are valid and without errors
- Publish a DMARC policy for all domains.
“By failing to publish basic authentication records like SPF and a DMARC record for all of the domains they operate, retailers are blind to the potential abuse of their brands’ domain names,” said Matthew Vernhout, director of privacy at 250ok. “It leaves both the brand and the consumer unnecessarily exposed to phishing attacks that damage brand trust.”
The value of protection
A 2017 study from the Anti-Phishing Working Group reported that an average of 443 brands per month were targeted for phishing attacks in the first half of 2017, up from 413 per month during the same period in the previous year. These attacks are a threat to brand trust as 91 percent of all cyber attacks begin with a phishing email.
“Time and again, we see that phishing is among the most common cyber risks. DMARC protects both consumers and businesses from some of the worst types of phishing,” says Global Cyber Alliance Director of Operations, Shehzad Mirza. “The value of the protection is such that both the UK and U.S. governments have mandated their respective government domains to implement DMARC. We urge all governments and businesses to do the same.”