Study: Half Of Forbes 2000 Brands Fail To Use DMARC

Forbes 2000 brands are dangerously unprotected from phishing and hijacking, with 81% failing to use registry locks for their domains, according to Domain Security Report: Forbes Global 2000 Companies, a study released Tuesday by domain protection firm CSC. 

Only 50% utilize a DMARC (domain-based message authentication and conformance) record, the standard email authentication method.  

And, 57% utilize off-the-shelf consumer-grade registrars, offering limited domain security mechanisms.

In addition, 70% of homoglyph (fuzzy match) domains typically used in phishing and brand abuse are owned by third parties.

Basic domain security measures “continue to get overlooked because they’re still not considered an essential component to a company’s broader phishing, BEC or ransomware mitigation approach,” states Mark Calandra, president of CSC Digital Brand Services.  

Calandra adds: “A focus on securing legitimate domains while monitoring for malicious domains in parallel needs to be a bigger priority for companies in order to stay protected and mitigate cyber risk. Otherwise, companies are exposing themselves to significant threats to their cybersecurity posture, data protection, intellectual property, supply chains, consumer safety, revenue and reputation.”

DMARC adoption varies by industry:

  • IT software and services—74%
  • Healthcare equipment and services—73%
  • Semiconductors—72% 
  • Media—64%
  • Hotels, restaurants, and leisure—63%
  • Retailing—60%
  • Drugs and biotechnology—60%
  • Oil and gas operations—59%
  • Conglomerates—56% 
  • Telecommunication services—56% 
  • Technology hardware and equipment—56%
  • Food, drink and tobacco—54%
  • Utilities—54%
  • Business services and supplies—53% 
  • Aerospace and defense—50%
  • Banking—50%
  • Materials—47%
  • Household and personal products—47% 
  • Transportation—46%
  • Insurance—46%
  • Diversified financials—43%
  • Trading companies—41%
  • Chemicals—41%
  • Consumer durables—38% 
  • Food markets—38% 
  • Capital goods—37%
  • Construction—28% 

CSC also found 70% of the third-party domains reviewed were suspicious: 

  • 77% of third-party domains used domain privacy services and/or had WHOIS details redacted.  
  • 43% were configured with MX email records, allowing them to send phishing emails. 
  • 56% pointed to advertising, pay-per-click content, or being used for domain parking.
  • 38% had inactive web content.
  • 6% pointed to brand impersonation and malicious content, such as phishing and potential malware delivery.

The research is based on analysis of publicly available DNS records and domain registrations, combined with CSC's proprietary technology. 


Next story loading loading..