Surging business email compromise (BEC) losses are pushing businesses and government agencies towards “aggressive” adoption of DMARC anti-fraud technology, a security expert has observed while noting that new figures suggest 61 percent of Australia’s largest organisations are leaving themselves wide open to email fraud.
Just 39 of the ASX 100 have so far established DMARC records to indicate their use of the anti-spoofing technology, according to a recent analysis by security vendor Proofpoint.
That was up significantly compared with a late-2016 analysis that found just 6 percent of US businesses were using DMARC, while another ASX100 audit last year found that just 27 percent of Australia’s biggest companies had adopted the technology.
Some 25 percent of those companies are in the financial sector – hardly surprising given the particular exposure of finance-related companies to cybercriminals seeking to take the money and run.
“We have seen much more aggressive adoption of DMARC over the course of the last 12 months simply because of the growth of email fraud,” Proofpoint CEO Gary Steele told CSO Australia.
“These campaigns are reasonably easy to run for bad actors, and they are seeing pretty serious paydays as illustrated by the numbers.”
A recent Mimecast analysis found that BEC volumes were up 80 percent quarter-on-quarter, with the US FBI recently arresting 74 BEC perpetrators while announcing that global BEC losses had passed $US12 billion ($A16.5b)
DMARC includes a number of steps to full maturity, including implementation of the Sender Policy Framework (SPF) or the related DomainKeys Identified Mail (DKIM) standards.
Yet the standards are just the beginning, with companies stepping through several phases before they can be deemed fully DMARC compliant.
Just 7 of the 39 companies have reached full maturity by proactively blocking and quarantining fraudulent emails, according to the latest Proofpoint figures. The remainder are in ‘monitor’ mode, where they are testing the effectiveness of DMARC blocking before actively intercepting questionable emails.
An individual perspective on fraud
Yet even with DMARC in place, organisations need to be keeping a close eye on individual differences that may see some employees individually targeted more than others.
Assessments of BEC attacks were often showing that, contrary to frequent portrayals, it’s often not the top executives who are being attacked. Rather, cybercriminals are targeting specific job roles or individuals in highly targeted attacks designed to maximise the chance of deception.
“We’re trying to help organisations understand the risk of vulnerabilities associated with specific people,” Steele explained.
“That’s what’s being targeted, and not just the organisation – so organisations need to think broadly about their security strategies as they relate to those specific individuals.”
Organisations should not only identify their most vulnerable individuals, he said, but must also remember that those individuals may be specifically targeted in other ways through real-world methods.
Proofpoint’s recent Email Fraud Threat Report: Year in Review found that BEC scammers targeted an average of 13 different people per organisation, many from organisations such as HR and accounts payable.
Some 47 percent of organisations had more than 5 identities spoofed during the quarter, reflecting greater use of social-media and Web-based information. The number of individual entities spoofed per organisation more than doubled in the last quarter of 2017, to around 10 individuals.
“Stagnant” government agencies weren’t faring much better, with an August review finding that just 7 out of 18 examined departments (38 percent) had published a DMARC record – and that only one agency had moved to the ‘rejection’ phase of DMARC adoption since the previous audit 10 months earlier.