Many governments and banks lack key email protection

13 Nov 2023

Image: © patcharin.inn/Stock.adobe.com

A report by SendLayer claims only 35pc of government domains and 34pc of large companies have DMARC protection, which is used to prevent phishing scams.

Cyberattacks continue to disrupt vital industries around the world, with organisations of all sizes being targeted.

Last week saw a disruption to the world’s largest bank – ICBC – after a cyberattack impacted its US operations. The attack forced the bank to conduct business through a USB stick that contained transaction details, according to a Bloomberg report.

Over the weekend, major ports across Australia were forced to temporarily suspend their operations after DP World Australia was hit with a cyberattack. Meanwhile, Microsoft recently warned of a criminal group that uses “advanced” phishing tactics and targets various industries for extortion.

Despite the constant threat of cyberattacks, a report from earlier this year suggests many large companies, government institutions and banks are lacking in an important form of email protection.

A lack of DMARC protection in banking

The report from email delivery provider SendLayer looked at more than 187,000 organisations to see if they have DMARC, which is a type of email authentication, policy and reporting protocol.

DMARC, or Domain-based Message Authentication, Reporting and Conformance, is designed to help organisations determine if a given message is from a legitimate sender to prevent phishing and other malicious activities. This type of protection can reject or quarantine suspicious emails, depending on the user’s preference.

SendLayer claims that 41pc of global banking institutions that it analysed do not have DMARC set up for their domains. The company said this makes it easier for scammers to imitate an unprotected banking domain and trick people into transferring money.

“Although the banking industry is more likely than other sectors to implement DMARC protocols, it still leaves countless customers vulnerable to financial fraud carried out using fake emails,” SendLayer said in its report.

Last month, Permanent TSB partnered with Expleo to introduce a banking app feature that alerts users when they receive a phishing text that is trying to steal sensitive information.

Governments and big businesses

This report also claims that 66pc of the largest global companies that it analysed “from various industries” did not have this protection. SendLayer also claims that more than half of the companies that had this protection had their policy set to ‘none’, which means “no action would be taken to stop suspicious emails”.

Meanwhile, only 35pc of domains attached to government organisations in the analysis had DMARC enabled. SendLayer claimed it analysed government organisations from 198 countries and warned that scammers could attempt to imitate government agencies that lack this protection.

“State institutions have a responsibility to protect individuals from scams run in their names,” the report said. “Unfortunately, only a few smaller countries had near-perfect DMARC coverage rates.”

“In some sectors, DMARC usage is dangerously uncommon. We found that only 9pc of the domains from the graphic design industry had DMARC protection, the lowest among all.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com