One in five email messages landing in inboxes come from unauthorized senders, according to a new study by ValiMail. And companies are failing to protect themselves with proper use of Domain-based Message Authentication, Reporting & Conformance (DMARC).
The study reports that only 0.5 of the top million domains have protected themselves from impersonation by email authentication. That leaves 99.5% that are vulnerable.
In addition, many suffer from incorrect DMARC deployments. ValiMail found that 77% of domains that have deployed DIMARC are unprotected, either because of misconfiguration or due to setting a permissive DMARC policy.
The result is that only 15% to 25% of firms that attempt to deploy DMARC succeeded in protecting themselves from fraud.
“Email has been weaponized by hackers as the leading way to infiltrate networks, and the vast majority of businesses are leaving themselves vulnerable by either incorrectly configuring their authentication systems or forgoing protection entirely,” statesAlexander García-Tobar, CEO and co-founder of ValiMail.
He continues: “Businesses are asking their employees to complete an impossible task: identifying who is real and who is an impersonator, by closely examining every message in their inboxes.”
The solution is for companies to “take control of their email security at the technology level and stop placing the onus on employees to prevent phishing attacks,” Garcia-Tobar concludes.
ValiMail also states that only 38% of the top government agencies have DMARC records and 14% have reject/quarantine enforcement. The Department of Homeland Security has set a deadline of January 14, 2018, for DMARC implementation by federal agencies.
Shehzad Mirza, director of operations for the Global Cyber Alliance, adds that “these findings highlight that a lack of email authentication is the most prevalent security vulnerability companies face.”
The announcement by ValiMail does not specify study methodology.