Recent research by the Agari Cyber Intelligence Division finds that the retail industry is dead last among major sectors in adopting and enforcing DMARC email authentication. This leaves their email channel vulnerable to brand impersonation attacks.
While the United States government leads in full DMARC enforcement policy, with 81% of its domains meeting the strictest DMARC standard, over 60% of retail domains surveyed between October and December 2018 had no DMARC record at all.
This is surprising, given what is at stake for retail brands, shareholders, and customers. The losses for all can be enormous.
During the last quarter of 2018, Amazon and Netflix made headlines when their customers were targeted by phishing scams designed to steal customer data. But, here’s the rub. Both Netflix and Amazon have DMARC implemented. The cybercriminals have simply moved on to more advanced tactics, such as look-alike domains. Of course, Agari solutions address look-alike domain spoofing, but a vanilla DMARC setup does not.
DMARC does authenticate domains under the organization’s control. Without it, scammers can start exploiting a company’s domains to send predatory emails. When that happens, legitimate messaging can suffer too. Email receiver systems may send legit emails to spam folders or reject them outright. Emails that do make it to the inbox may be deemed untrustworthy by customers who fear being phished or who’ve already been scammed and blame the brand. And as marketers know, once deliverability and click-through rates decline, so does ROI.
Here at Agari, we’ve found that when organizations enforce the strictest level of DMARC policy, the rate of brand impersonation phishing attacks plummets to near zero—often in a matter of weeks. With DMARC, email receiver systems can verify which messages are authentic, so retailers stay out of the news when it comes to phishing attacks, and consumers grow to trust the brand messages in their inbox.
As dramatic as the drop in phishing is with full DMARC implementation, DMARC alone can’t fully protect brands from the ever-growing list of threats to the email channel. Like most other businesses, retailers find themselves under attack.
Last year, more than 90% of organizations surveyed said they were victims of attempted business email compromise. That’s not surprising, considering BEC scams rose by 60% during 2018, with nearly twenty-three new brand-impersonation email attacks every minute. Email account takeover attacks also rose by 126% in 2018.
This is why we have taken a more holistic approach with the Agari Secure Email Cloud™. To protect your brand, we automate the implementation of DMARC to accelerate time to reject. Our solutions also augment the standard with technologies that fight look-alike domains and help take down phishing sites that target your brand. This helps keep your customers safe and preserves the reputation of your brand on email.
And to combat threats targeting your organization, Agari Advanced Threat Protection uses intelligence extracted from the roughly 2 trillion emails we analyze annually to stop business email compromise, executive spoofing, account takeover, and other attacks with up to 99.987% efficacy—ensuring that emails targeting your employees never reach the inbox.
The Agari Incident Response product takes this further. It provides SOC analysts the ability to prioritize employee reported phishing incidents, perform impact analysis, and then quickly conduct triage and remediation. For Microsoft Office 365, it can even physically remove threats from the inbox.
Seemingly the only thing blocking retailers from accomplishing these goals is the business imperative and will. Focusing on DMARC, other sectors have proven that gains can happen fast.
Because of a mandate called BOD 18-01, the executive branch of the United States government brought 81% of its domains into full DMARC compliance in just one year after the Department of Homeland Security ordered its implementation. And while the healthcare sector overall ranks second-to-last in overall DMARC policy adoption, Agari’s healthcare customers made huge DMARC gains in 2018, moving from last to second place.
These cases are good news for retailers who want to move quickly to adopt DMARC and advanced email security. They also show why the time to move on DMARC is now. As government, finance, healthcare, and other sectors become harder targets, fraudsters will turn their attention to softer targets—and right now retail is the softest email target of all.
Retailers need to act now to safeguard their brand reputations, top-line revenue, and shareholder value. A comprehensive solution, including DMARC authentication for outbound threats and protection against advanced inbound attacks, is available now. It’s easy to implement, and it can have massive ROI for those companies that depend so heavily on a reliable email channel.
Read the Q1 2019 Email Fraud & Identity Deception Trends report to learn more about how DMARC enforcement can protect your brand from domain spoofing.