DMARC adoption: Three in five ASX100 companies at risk of email fraud

What if I told you one of the biggest cybersecurity threats in Australia is cybercriminals impersonating the ASX100 over email? According to the Australian federal government, businesses lost more than $20 million to business email compromise/email fraud scams between 2016 and 2017, up from just $8.6 million the year before. And for many organisations, the road to easing Australian email fraud risk is paved with DMARC (Domain-based Message Authentication, Reporting and Conformance), an email verification system.

DMARC is the passport control of the email security world. It verifies you are who you say you are by properly authenticating senders against established DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) standards. This authentication protects employees, customers, and partners from cybercriminals looking to impersonate a trusted brand.

DMARC adoption across the ASX100 and Australian government

To gauge how quickly the DMARC standard is being adopted in Australia, Proofpoint conducted an in-depth analysis of all ASX100-listed companies and government departments in August 2018. We wanted to get a better idea of how many organisations were on the road to success by adopting this incredibly effective email authentication protocol. Below are our findings:

• 3 in 5 of Australia’s largest organisations (61%) are exposed to email fraud and domain spoofing in particular.
• 39 percent have adopted DMARC and started their deployment to protect their employees, customers and partners from email fraud. However of those, only seven are proactively blocking fraudulent emails spoofing their domain (and are therefore fully DMARC compliant).
• Financial Services are the most targeted vertical: interestingly, our research shows that attack frequency against financial services companies was 32% higher in ANZ than the U.S. and UK in Q218. This is reflected in the sector’s level of maturity when it comes to technology adoption: Of the ASX100 companies that have begun deploying DMARC, 25% are in the financial sector, including 4 of the top 5 commercial banks.
• Largest organisations are leading the way: Looking at the top ten ASX100 companies by market cap: 60% have a DMARC record, showing that the largest enterprises are starting to understand their exposure to email fraud and to drive proactive cybersecurity measures to protect themselves.
• In comparison to their British counterparts (the FTSE100 have a 42% adoption), the top 100 Australia companies are slightly behind. 100% of the FTSE100 banks have deployed DMARC to date, effectively protecting their customers against email fraud.

We also examined the DMARC records across 18 Australian government departments.

• Of the 18 Australian Government departments only seven (39%) have published a DMARC record. This puts the level of adoption between the Australian private and public sector on par with one another.
• However the public sector is behind when it comes to their level of implementation: most deployments are in monitor mode, meaning fraudulent emails are still being delivered to Australia citizens’ inboxes. Notably, only finance.gov.au has achieved full DMARC implementation since the last time we analysed the data back in October 2017.
• Five out of the seven agencies on the DMARC journey are not leveraging a third-party vendor for their implementation and have been stagnant for the last 9 months.

Signs of progress against a backdrop of increased risk

With 80 percent of Australian businesses expecting to fall victim to email fraud in the next 12 months and yet only 43 percent have full visibility into email threats, it is time for Australian businesses and government institutions to take proactive steps.

Our latest quarterly Email Fraud Threat report confirms that email fraud is not going away: the total number of domain spoofing attacks increased 23.5% year-over-year in Q2 2018, attacks that are addressable through DMARC.

While there is clearly more work to be done, it is interesting to note that when it comes to Australia’s top 10 ASX companies by market cap, the DMARC adoption rate jumps from 39% to 60%. This clearly shows that the largest organisations are starting to understand their risk exposure to email fraud and are driving proactive cybersecurity measures to protect themselves.

Proofpoint provides tips on getting started with DMARC, as well as a DMARC email assessment service.

Tim Bentley is APJ vice-president at Proofpoint.