A full 87.6% of the root domains operated by top e-retailers in the United States and the European Union are putting their brands and consumers at risk for phishing attacks by not implementing email security policies, like DMARC or the Sender Policy Framework (SPF), which detects sender-spoofing attempts.
According to analysis from 250ok of 3,300 domains of the top 1,000 US internet retailers and top 500 EU internet retailers by revenue, the majority of retailers do use some level of email authentication on their domains. However, many are inconsistent in their approach across all the domains they control. Only 11.3% of top US retailer and 12.2% of top EU retailer domains meet 250ok’s recommended minimum protocol for the email channel. That consists of publishing SPF records for all domains, ensuring that SPF records are valid and without errors, and publishing a DMARC policy for all domains.
“By failing to publish basic authentication records like SPF and a DMARC record for all of the domains they operate, retailers are blind to the potential abuse of their brands’ domain names,” said Matthew Vernhout, director of privacy at 250ok. “It leaves both the brand and the consumer unnecessarily exposed to phishing attacks that damage brand trust.”
A 2017 study from the Anti-Phishing Working Group reported that an average of 443 brands per month were targeted for phishing attacks in the first half of 2017, up from 413 per month during the same period in the previous year. These attacks are a threat to brand trust, as 91% of all cyber-attacks begin with a phishing email.
"Time and again, we see that phishing is among the most common cyber-risks. DMARC protects both consumers and businesses from some of the worst types of phishing," said Global Cyber Alliance director of operations Shehzad Mirza. "The value of the protection is such that both the UK and US governments have mandated their respective government domains to implement DMARC. We urge all governments and businesses to do the same."
“This is a moment in time where we have the opportunity to make a real impact on the security of consumers and brands,” said Greg Kraios, 250ok CEO.