Leading retailers are wide open to domain theft phishing attacks, according to Top Retailers Remain Vulnerable To Email Brand Spoofing, a study released Thursday by Valimail.
Only 22% of the top 100 retailers listed by the National Retail Federation are protected by DMARC (Domain-based Message Authentication, Reporting and Conformance), the standard email protection tool.
Another 52% have valid DMARC but are not enforcing it, 22% have no DMARC, while 4% have invalid DMARC.
There are consequences — of the retailers breached in 2018-19, 63% had DMARC but were not protected and 26% had no DMARC records. Only 11% of those with DMARC enforcement were breached.
On a more positive note, 87% have valid SPF (Sender Policy Framework), whereas the remainder have invalid SPF or none.
The most protected category is Health, Wellness and Fitness, with 33%. Second is Retail eCommerce, with 27%.
Note: These subcategories have so few firms in them that they may not be statistically projectable. However, Retail, which represents 42% of the top 100, has a 17% protection rate.
Food & Beverages retailers have a 14% rate of protection, and restaurants have only 2%.
Firms that had 58.4 billion in revenue in 2019 are most likely to have DMARC with enforcement.
Companies with $28.7 billion in revenue for last year have DMARC without enforcement. And those with $13.7 billion have no DMARC records.