Financial companies are now major targets for business email compromise (BEC) and phishing attacks, according to Stopping Email Fraud In Finance And Insurance, a study by Valimail.
Valimail saw 2.5 million attempts to impersonate financial companies via fake email messages in a single month.
In March, the period of the study, the overall rate of suspicious email was 2% of total global email volume. But impersonation emails sometimes comprise 20%.
Yet only 8.1% of global banking, financial services and insurances protect themselves with DMARC (Domain-based Message Authentication, Reporting, and Conformance) enforcement. But 34% are on the way to doing so.
Those with DMARC include 6.5% of privately held finance companies and 10.7% of publicly traded firms. However, only 19% of those that have DMARC have reached the enforcement level.
At the same time, 78.6% have valid SPF (Sender Policy Framework) protection. In contrast, 14.1% have invalid SPF and 7.3% have none.
DMARC and SPF are widely used standards for protecting companies from phishing.
Why worry about BEC scams? “When successful, such attacks create potential financial and legal liability for the financial institutions targeted and/or impersonated, and they also damage these companies’ brands,” the study says.
Valimail says finance companies with DMARC records have average annual revenue of $7.27 billion, compared with $4.69 billion for those without DMARC.
On a percentage basis, Australia is the leader in DMARC usage — 68% of countries have it. India and Malaysia also lead the way. But only 46% of U.S. companies have DMARC. On the low end are China (where 11% use DMARC) and Germany (14%).
The leading sources of phishing emails are the U.S., Russia, Vietnam and Indonesia.
Valimail examined the primary domains of 1,165 financial services, banking, and insurance companies with revenues over $500 million annually.
Included were 605 companies in the U.S., 95 in the UK and 68 in Canada.