A joint research study conducted by Agari and Farsight Security has been published this month that shows almost every domain is vulnerable to phishing and domain name spoofing due to the failure to adopt the Domain Message Authentication Reporting & Conformance (DMARC) email authentication standard.
Globally, fewer than 1% of domains are protected by DMARC, which helps domain owners prevent abuse of their brands. An analysis of Agari Email Threat Center data shows 90% of its customers have been targeted by fraudsters who have attempted to hijack their brands using domain spoofing to conduct phishing attacks.
Research conducted in August last year by Agari showed 92% of Fortune 500 firms had yet to implement DMARC. Adoption of the email authentication standard was particularly poor in healthcare by government agencies. Agari reports that the healthcare industry has the lowest level of DMARC adoption of all verticals with the government in second place.
The poor rate of adoption and the volume of domain spoofing incidents prompted the Department of Homeland Security to issue a Binding Operational Directive requiring all government agencies to implement DMAR in 2018. Members of the healthcare cyber security forum NH-ISAC also pledged to implement DMARC to protect their domains – and patients – from domain spoofing attacks.
Adopting of DMARC has increased across all industries, although the process is taking some time and the majority of domains are still unprotected. Further, out of the companies that have implemented DMARC, only 27% of companies are enforcing DMARC. Agari says out of its customers, 99% of retail organizations, 95% of tech firms, and 89% of finance firms have achieved much higher protection rates.
While the spoofing of government domains has been rife, it is the healthcare industry that is most targeted by domain name spoofing. Agari reports that an astonishing 58% of all email messages sent on behalf of healthcare organizations are unauthorized or malicious. The failure to implement and enforce DMARC is having a major negative impact on brand trust.