Nearly every company in the Fortune 500 is vulnerable to phishing attacks because they fail to utilize one of the most basic email security features available, according to a recently published report.
Cybersecurity firm Agari found more than nine out of 10 companies were not making use of a domain-based message, authentication, reporting and conformance (DMARC) protocol that would combat phishing attacks that use spoofed email addresses.
DMARC is an authentication standard that will reject messages that come from an unrecognized or unauthorized source. This is a relatively common phishing tactic, in which an attacker will use a spoofed domain to make it appear as though an email is coming from a trusted source.
Unfortunately, just 39 of the 500 companies—or about eight percent—listed in the Forbes 500 are currently making use of DMARC, leaving 92 percent of the largest and most profitable organizations in the world at risk of a security breach carried out through phishing emails.
While DMARC is a relatively new protocol—it was created in 2007 as part of a partnership between PayPal and Yahoo—corporations and government organization have had a decade to implement the standards and have failed to do so.
The risk of falling short of the standard has been made evident time and time again. There have been numerous instances just in the past year in which a single account compromised by a phishing attack resulted in data—including personal information belonging to millions of users—was compromised.
Phishing attacks, despite their simplicity compared to hacks and other exploits, are still one of the most common methods of attack for threat actors. As many as 91 percent of all data breaches start with a phishing attack, according to recent studies.
The study by Agari didn’t name the offenders who have failed to implement the DMARC protocol, though it did highlight several of the companies who have adopted the standard in a statement to ZDNet.
According to the statement, Amazon, Time Warner, Verizon, Visa and Walmart all mark unauthenticated messages as spam. Adobe, Google parent company Alphabet, Facebook, Fedex, Microsoft, Netflix, PayPal and Yahoo all reject emails outright when the domain they are sent from cannot be verified.
Large companies and organizations are not the only offenders of failing to use DMARC. Sen. Ron Wyden, D-OR, criticized the U.S. Department of Homeland Security earlier this year for failing to implement DMARC. Despite this, DHS has yet to take action to start using the protocol.
“It is unconscionable that only eight percent of the Fortune 500, and even fewer government organizations, are protecting the public against domain name spoofing,” Patrick Peterson, Agari’s executive chairman, said in a statement. “Phishing and other forms of digital deception are preventable, and the first step is for our largest companies and organizations to deploy DMARC, a highly-effective open standard.”
Shehzad Mirza, the director of operations for the Global Cyber Alliance (GCA), said, “DMARC is an essential tool that helps prevent spam, phishing and data loss. GCA urges organizations of all sizes to embrace this technology standard to eliminate direct domain spoofing.”