Email Security Blog

DMARC Remains Elusive with 86% of gov.uk Domains Open to Impersonation

Suela Vahdat May 23, 2019 DMARC

More than three-quarters of UK government organisations haven’t yet adopted Domain-based Message Authentication and Reporting Conformance (DMARC), the standard email security protocol needed to prevent impersonation in phishing attacks targeting businesses and consumers. Between a barrage of Brexit-based email scams, fraudulent tax refund schemes, and a public sector migration to new web addresses, the news couldn’t come at a tougher time.

Only 28% of all gov.uk domains have implemented DMARC, despite the March deadline for government and other public sector organisations to transition off the Government Secure Intranet (GSI) platform and onto the public cloud. According to guidelines issued by the National Cyber Security Centre (NCSC), all gov.uk domains should have an assigned DMARC record with enforcement policy set at either p=quarantine or p=reject.

At this writing, 53% of domains with DMARC are still set to p=none, or monitor-only—a policy that does nothing to stop malicious email impersonation scams from reaching inboxes. It has been reported that roughly 14% of gov.uk domains have assigned DMARC records with the p=reject enforcement policy needed to stop 100% of fraudulent government emails from reaching recipients.

While that is in stark contrast with the UK’s central government, where 89% of organizations have adopted DMARC with a recommended policy set to p=reject, it should be noted that even in the best cases, getting to quarantine and eventually to reject is an arduous, resource-intensive process that takes considerable time. Taking that leap amid a mass migration to the public cloud may add whole new layers of complexity.

At this point, the primary goal shouldn’t be to shame these organizations, but rather to find the means to help them make the transition to DMARC enforcement as seamless as possible. Because without it, our 5.7 Million SME’s that operate in the UK are put at risk from the millions of malicious messages purporting to come from trusted government organisations each month. These fraudulent emails can lead to stolen credentials and financial losses.

The Battle of Britain

Attackers sending fake emails purporting to be from the government has been one of the biggest problems in UK cybersecurity, contributing to more than £4.6 billion in consumer losses each year. That means that while the UK accounts for less than 1% of the global population, it makes up almost 2% of all cybercrime victims—and almost 4% of all global losses.

Unfortunately, these numbers are getting worse. Her Majesty’s Revenue and Customs (HMRC) has issued warnings about a surge in fraudulent tax refund texts and email messages it expects through the end of the month. Last spring, the HMRC received around 250,000 reports of such scams, and this year, it’s racing to deactivate hundreds of phishing sites connected to new attacks.

Meanwhile, hackers believed to be backed by Russian intelligence continue to exploit uncertainty over ongoing Brexit negotiations by sending phishing emails masquerading as official government communications. These nefarious operations are so efficient, they often send fake emails to consumer and business targets within hours of major Brexit-related news events or announcements. In response to this and other threats, 53% of UK businesses in a recent survey report they’re beefing up cybersecurity. Brand impersonation phishing scams and business email compromise (BEC) rank among the top three threats these businesses expect to face in the lead up, and the immediate aftermath, of what is now expected to be a no-deal Brexit currently pushed back to October 31.

Then there is that migration off the GSI platform and its “gsi.gov.uk” email addresses. In August 2016, UK Government Digital Services (GDS) issued guidelines to public organisations on adopting DMARC in preparation for the GSI’s retirement in March 2019. The fact that so few organisations were able to hit the deadline will only slow down efforts to protect against government impersonation attacks.

The National Cyber Security Centre (NCSC) currently blocks more than 4.5 million malicious emails posing as UK government or public sector organizations each month. While that’s down significantly from recent years, it hasn’t eliminated the problem altogether.

DMARC to the Rescue?

First introduced in 2012, DMARC is an open standard email authentication protocol that helps stop billions of email-based impersonation attacks.

By enabling email sender and receiver systems to recognise when an email isn’t coming for a specific organisations’ approved domains, DMARC prevents malicious messages that leverage the organisation’s identity from ever reaching recipients’ inboxes. It also gives the organisation the ability to tell email receiver systems what to do with unauthenticated email messages.

While a p=quarantine enforcement policy is a good place to start, the goal should be to ultimately implement DMARC with the p=reject enforcement policy in order to prevent domains from being vulnerable to spoofing, and constituents vulnerable to falling for fraud. With this policy in place, DMARC can be incredibly effective at stopping imposters from defrauding an organization’s constituents, whether that means the public or other government agencies.  In fact, while only 1 in 5 gov.uk domains is currently protected, DMARC is credited with blocking more than 80 million fake government emails per year.

Still, quickly implementing DMARC across the remaining 86% of gov.uk domains—more than 1,720 in all—will be no small feat. In the United States, for instance, fifteen federal executive branch agencies had just over a year to implement DMARC across 1,444 domains. Roughly 83% made the October 16, 2018 deadline, while some are still catching up over six months later.

The truth is, most organisations don’t realize just how complex their email ecosystems can be—especially when they span multiple domains and numerous third-party partners who send emails on their behalf. Correctly configuring DMARC across multiple teams without disrupting services can be a monumental task. As a result, some organisations may seek out advanced, automated solutions that can help them accelerate and manage full and effective DMARC implementation. For the sake of constituents throughout the United Kingdom, we hope they hurry.

Disrupting the Digital Endgame

According to Europol, cybercriminal organisations are reaching a level of sophistication that makes them nearly indistinguishable from nation-state actors. But while crime rings impersonate government organisations in order to defraud consumers and businesses for financial gain, cyberwar groups use the same techniques to steal sensitive information, distribute malware, or to gain control of critical systems.

The results could be catastrophic. According to a recent study from Lloyds of London, a single, coordinated phishing campaign across multiple sectors, including governments, utilities, and transportation, could create a ripple effect that causes up to $193 billion in economic damage.

Implementing DMARC to p=reject is a critically important part of the multilayered approach to preventing this or any other kind of advanced email threat from causing harm to the British people and businesses. Considering the threats, implementing DMARC across all gov.uk domains has never been more urgent.

To learn more about how cybercriminals target the UK government and UK-based organisations, read our recent threat dossier on London Blue.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

September 26, 2019 Doug Jones

How to Prevent Phishing Attacks that Target Your Customers with DMARC and Office 365

Editor's Note: This post originally appeared on the Microsoft Security blog and has been republished…

Agari Blog Image

September 16, 2019 Jacob Rideout

5 Big Myths about DMARC, Debunked

With email attacks contributing to billions of lost dollars each year, a growing number of…

Agari Blog Image

September 6, 2019 Fareed Bukhari

Ensuring DMARC Compliance for Third-Party Senders

Marketo. Salesforce. Eloqua. Bamboo HR. Zendesk. It only takes a minute to realize how much…

Agari Blog Image

August 8, 2019 Fareed Bukhari

DMARC Quarantine vs. DMARC Reject: Which Should You Implement?

You did it! You implemented DMARC and authenticated your email domains. This is no easy…

Agari Blog Image

June 26, 2019 Armen Najarian

Ticket to Fraud: Airline Industry Sees Increased Consumer Phishing Scams

For many, there are few things more satisfying than receiving an email confirmation for a…

mobile image