Almost all (97%) FTSE 250 companies do not use the Domain-based Message Authentication, Reporting & Conformance (DMARC) standard to prevent phishing scams.
According to a new report from Cyber Security Partners (CSP) just 17 companies in the FTSE 250 use the DMARC standard which allows email senders and receivers to determine whether or not a message is legitimate, and what to do if it isn’t. It therefore helps prevent scams that steal customer passwords, bank accounts, credit card details and more.
Also, only six of the 17 companies that do use DMARC are doing so to isolate or reject malicious emails, which can leave customers at risk of being targeted.
Stuart Robb, CEO and founder of CSP, said that until now companies have been getting away with providing sub-par protection for their customers, which is a trend that has to change.
“Giving advice is an easy option but it’s as a result of this lax approach that millions of UK consumers are being put at unnecessary risk of cyber-attacks,” he argued. “We strongly believe that if businesses wish to use email as a channel for communication with consumers, it is their inherent duty to protect customers against the increasing threat of phishing.”
Luis Corrons, PandaLabs Technical Director at Panda Security believes that although it has become more common for spam and phishing attacks to not use email spoofing techniques, the more security levels a company can use the better.
“If DMARC wasn’t there those kinds of attacks would be way more prevalent. As it is implemented in a number of important companies (Google as a starter…) cyber-criminals won’t risk their phishing campaigns to be blocked.”
However, David Harley, Senior Research Fellow at ESET advises customers not to panic, stating that whilst DMARC has its uses, there are several “other ways of evaluating potentially spammy/scammy messages” that companies use.
He told Infosecurity:
“If they [companies that don’t use DMARC] prefer to avoid the administrative overhead and the problems it can raise with mailing lists and distribution groups, for instance, that’s a judgment call that may make sense to someone knowing more about what measures are being taken by individual companies.”