On July 21st, 2017, Agari analyzed Fortune 500 companies to determine their corporate domains and industry sectors. This list of domains was surveyed through the Agari DMARC Record tool to determine if the domain had deployed a DMARC record in its DNS – and if so, what its policy was.
More than 90 percent of the Fortune 500 are vulnerable to identity deception, leaving their customers, employees and brand name exposed to fraud. The Fortune 500 are the largest, most well-known and most trusted companies in the United States. Unfortunately, DMARC adoption is dangerously low within the Fortune 500, enabling malicious actors to abuse that trust and leaving corporations unprepared to prevent it.
More than two-thirds of the Fortune 500 (337 companies) do not have a DMARC record on their corporate domain. Of the remaining third, 124 companies have a None policy, which monitors for DMARC abuse, but does not prevent it. Fewer than 10 percent of the Fortune 500 have deployed a DMARC policy to prevent identity deception; 15 companies (three percent) have a Quarantine policy and 24 companies (five percent) have a Reject policy.
The full list of DMARC adoption by industry sector follows along with a per sector percentage breakdown:
Certainly, it is interesting to note that business services, financials, technology and transportation have a majority adoption rate; these are seemingly the sectors most likely to be targeted by phishing attacks. Business services include payment processors and credit card companies, which are frequently spoofed in phishing campaigns. The same can be said for financials, such as banks and stock portfolios. Technology companies are a logical early adopter of new technology. Finally, transportation includes both shipping and airlines, which are both frequently spoofed to deliver malicious attachments disguised as tracking numbers and reservations.
It may seem these corporations are aware of the threat of digital deception and have taken appropriate counter-measures. However, even among these early adopters, the majority of their deployments are “p=none,” which does nothing to prevent these attacks. DMARC adoption is of little use, unless organizations move to a Quarantine or Reject policy.
Analysis into DMARC adoption by the US Government falls outside the scope of this research, but bears mention because of a recent letter to the Department of Homeland Security by Senator Ron Wyden. In the letter, Senator Wyden notes:
“Industry-standard technologies exist, and are already used throughout the private sector and even by a few federal agencies, which, if enabled, would make it significantly harder for fraudsters and foreign governments to impersonate federal agencies.”
Senator Wyden is referring to DMARC, writing in his letter:
“Other federal cybersecurity leaders such as the National Institute for Standards and Technology (NIST) and the Federal Trade Commission (FTC) strongly recommend DMARC. A few federal agencies, including the FTC, the Federal Deposit Insurance Corporation, and the Social Security Administration have taken the initiative by enabling DMARC. Moreover, they have configured it in the most strict “reject” mode so that email service providers can automatically reject phishing emails impersonating their agency. Unfortunately, most agencies, including DHS, have still not enabled DMARC or configured it in the strongest setting.”
The Financial Times Stock Exchange 100 Index, more commonly known as the FTSE 100, is a share index of the top 100 companies listed on the London Stock Exchange (LSE) and is seen as the ‘go-to’ reference for those seeking an indication on the performance of the major companies listed in the United Kingdom.
Adopting the same methodology as referenced from the Fortune 500 analysis, it
reveals that, similarly to the US, more than two-thirds (67 percent) of the top 100 UK listed companies do not have a DMARC record for their corporate domain. The lack of implementation of DMARC within an organization exposes the business not only to the potential for fraud but also a data breach, and all the public reputational and financial penalties that are associated with an incident, while simultaneously eroding the faith that employees and customers have in the brand.
Of the remaining 33 companies, only six have implemented a DMARC Reject policy. Twenty-six of the organizations have a None policy in place, which monitors for abuse, but does not prevent it.
The pharmaceutical industry sector has the highest adoption rate at 100 percent (although they are all still in DMARC Monitor mode), followed by financial services at 42 percent, energy & utilities at 38 percent and retail and telecommunications both at 33 percent. However, financial services has both the most overall companies with a DMARC record and the most at Reject.
The full list of DMARC adoption by industry sector follows:
The majority of industry sectors with a high adoption rate are those with large consumer customer bases, which are frequently spoofed in phishing campaigns. This indicates that these companies have taken proactive steps to counteract the increasing threat of identity deception.
Enterprises (and the US Government) could look to the UK Government for the positive and forward thinking move they have taken toward improving security for both the UK government and its citizens. As of October 1, 2016, the UK’s Government Digital Services (GDS), a part of the Cabinet Office, mandated that all central Government departments need to adopt DMARC as standard for all services using the .gov.uk domain.
During the Chancellor of the Exchequer’s National Cyber Security Strategy announcement in November 2016, he referenced one case of more than 50,000 fraudulent emails from an account named “taxrefund.gov.uk” which were being sent to the unsuspecting British public daily. This spoofed domain has now been shut down thanks to the use of the DMARC protocol.
The same effect can be achieved across enterprises.
The ASX 100 is Australia’s stock market index, representing its top 100 large and mid-cap securities.
Almost three-quarters (73 percent) of the ASX 100 companies do not have a DMARC record in place for their corporate domain. This represents a higher proportion of Australian companies that have not sought to adopt any level of email authentication protocols through DMARC compared to both the US and the UK.
Of the remaining 27 companies, 23 have taken the first step in implementing DMARC by setting up the None policy. Just three organizations have adopted a Reject policy, meaning that emails that fail DMARC authentication are not delivered to the intended email inbox.
The information technology sector has the highest adoption rate at 100 percent (although they are all still in DMARC Monitor mode), followed by consumer staples at 40 percent and financial services at 35 percent, while consumer discretionary has 27 percent adoption.
The full list of DMARC adoption by industry sector follows:
Similar to the UK, the majority of industry sectors with a high adoption rate are those with large consumer customer bases, which are frequently spoofed in phishing campaigns. With just over a quarter of Australian businesses having taken, at a minimum, the first step in adopting DMARC to combat the threat of identity deception, it is evident that a high level of education still needs to be undertaken in this market.