Email Security Blog

Retail Trails Other Sectors in Adopting DMARC for Phishing Prevention

Armen Najarian February 26, 2019 DMARC

Recent research by the Agari Cyber Intelligence Division finds that the retail industry is dead last among major sectors in adopting and enforcing DMARC email authentication. This leaves their email channel vulnerable to brand impersonation attacks.

While the United States government leads in full DMARC enforcement policy, with 81% of its domains meeting the strictest DMARC standard, over 60% of retail domains surveyed between October and December 2018 had no DMARC record at all.

This is surprising, given what is at stake for retail brands, shareholders, and customers. The losses for all can be enormous.

Email Attacks: Rising Fast, Making Headlines, Hurting Brands

During the last quarter of 2018, Amazon and Netflix made headlines when their customers were targeted by phishing scams designed to steal customer data. But, here’s the rub. Both Netflix and Amazon have DMARC implemented. The cybercriminals have simply moved on to more advanced tactics, such as look-alike domains. Of course, Agari solutions address look-alike domain spoofing, but a vanilla DMARC setup does not.

DMARC does authenticate domains under the organization’s control. Without it, scammers can start exploiting a company’s domains to send predatory emails. When that happens, legitimate messaging can suffer too. Email receiver systems may send legit emails to spam folders or reject them outright. Emails that do make it to the inbox may be deemed untrustworthy by customers who fear being phished or who’ve already been scammed and blame the brand. And as marketers know, once deliverability and click-through rates decline, so does ROI.

Here at Agari, we’ve found that when organizations enforce the strictest level of DMARC policy, the rate of brand impersonation phishing attacks plummets to near zero—often in a matter of weeks. With DMARC, email receiver systems can verify which messages are authentic, so retailers stay out of the news when it comes to phishing attacks, and consumers grow to trust the brand messages in their inbox.

Full Email Protection Requires DMARC and More

As dramatic as the drop in phishing is with full DMARC implementation, DMARC alone can’t fully protect brands from the ever-growing list of threats to the email channel. Like most other businesses, retailers find themselves under attack.

Last year, more than 90% of organizations surveyed said they were victims of attempted business email compromise. That’s not surprising, considering BEC scams rose by 60% during 2018, with nearly twenty-three new brand-impersonation email attacks every minute. Email account takeover attacks also rose by 126% in 2018.

This is why we have taken a more holistic approach with the Agari Secure Email Cloud™. To protect your brand, we automate the implementation of DMARC to accelerate time to reject. Our solutions also augment the standard with technologies that fight look-alike domains and help take down phishing sites that target your brand. This helps keep your customers safe and preserves the reputation of your brand on email.

And to combat threats targeting your organization, Agari Advanced Threat Protection uses intelligence extracted from the roughly 2 trillion emails we analyze annually to stop business email compromise, executive spoofing, account takeover, and other attacks with up to 99.9% efficacy—ensuring that emails targeting your employees never reach the inbox.

The Agari Incident Response product takes this further. It provides SOC analysts the ability to prioritize employee reported phishing incidents, perform impact analysis, and then quickly conduct triage and remediation. For Microsoft Office 365, it can even physically remove threats from the inbox.

Retail Can—and Must—Catch Up Quickly

Seemingly the only thing blocking retailers from accomplishing these goals is the business imperative and will. Focusing on DMARC, other sectors have proven that gains can happen fast.

Because of a mandate called BOD 18-01, the executive branch of the United States government brought 81% of its domains into full DMARC compliance in just one year after the Department of Homeland Security ordered its implementation. And while the healthcare sector overall ranks second-to-last in overall DMARC policy adoption, Agari’s healthcare customers made huge DMARC gains in 2018, moving from last to second place.

These cases are good news for retailers who want to move quickly to adopt DMARC and advanced email security. They also show why the time to move on DMARC is now. As government, finance, healthcare, and other sectors become harder targets, fraudsters will turn their attention to softer targets—and right now retail is the softest email target of all.

Retailers need to act now to safeguard their brand reputations, top-line revenue, and shareholder value. A comprehensive solution, including DMARC authentication for outbound threats and protection against advanced inbound attacks, is available now. It’s easy to implement, and it can have massive ROI for those companies that depend so heavily on a reliable email channel.

Read the Q1 2019 Email Fraud & Identity Deception Trends report to learn more about how DMARC enforcement can protect your brand from domain spoofing.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

August 8, 2019 Fareed Bukhari

DMARC Quarantine vs. DMARC Reject: Which Should You Implement?

You did it! You implemented DMARC and authenticated your email domains. This is no easy…

Agari Blog Image

June 26, 2019 Armen Najarian

Ticket to Fraud: Airline Industry Sees Increased Consumer Phishing Scams

For many, there are few things more satisfying than receiving an email confirmation for a…

Agari Blog Image

June 13, 2019 Fareed Bukhari

DMARC Adoption Worldwide Slows with Australia's ASX 100 Remaining Most Vulnerable

DMARC adoption rose a tepid 1% in the first quarter of the year, with the…

Agari Blog Image

May 23, 2019 Suela Vahdat

DMARC Remains Elusive with 86% of gov.uk Domains Open to Impersonation

More than three-quarters of UK government organisations haven't yet adopted Domain-based Message Authentication and Reporting…

Agari Blog Image

May 21, 2019 Armen Najarian

Why DMARC Could Make or Break Your B2B Email Marketing Programs

In B2B email marketing, nothing says amateur hour like a landing page with the words…

mobile image