Email Fraud Protection Needs to be on the CISO’s Agenda

We recently attended a CISO Summit in Scottsdale, AZ where I had the pleasure to deliver a keynote address on the topic of “Protecting the Email Channel, Your Customers and Your Brand”.

As part of my presentation, I noted that Return Path has analyzed the sending domains of the Fortune 500 and found that only 10% of those companies have adopted a DMARC record of any sort (much less, a DMARC reject policy) and similarly, in expanding our research to 1,000 top global brands, we found a similarly bleak situation, with only 11% DMARC record adoption overall.  My informal survey of conference attendees tracked along the same lines, with only a few people in a crowded room raising their hands to indicate that their organization published DMARC records.

Percentage of mailboxes protected by DMARC:

 usa_dmarc_protected            uk_dmarc_protected          global_dmarc_protected

Clearly, there is a vast area of opportunity for top brands to control what they can today with their sending identity in implementing DMARC at the very least.  DMARC should be considered table stakes; a must-have for any serious security-minded organization.  What is sobering is to think that even if DMARC adoption increases 100% YOY in 2015, still less than 25% of global brands will support DMARC by the end of the year.  From a geographical perspective, our data shows that North America “leads” in DMARC adoption, followed by EMEA, APAC and then Latin America bringing up the rear.

Even more concerning than these statistics is the fact that a detailed analysis of a comprehensive set of phishing attacks, published in Return Path’s recent Email Fraud Protection whitepaper , points out that most spoofing occurs on domains that are not directly owned by the brand, and for which DMARC protection is therefore not possible.

Detecting abuse for domains that are not under a brand’s control is indeed possible today and since Return Path has the largest email data repository, we can accelerate the mitigation of these malicious attacks by providing real-time threat intelligence to reduce the impact of those broad-based threats.

Ready to take action against email fraud? Check out our white papers and guides on how to get started.

Prev Next

minute read

Popular stories