From July through October 2018, attackers overwhelmingly used display name deception to launch business email compromise attacks, stealing money and credentials from their victims while damaging trust in the brands and domains they impersonated. Among Agari’s findings:

  • 54% of attacks leveraged impersonated brands, particularly Microsoft and Amazon, in the sender display name to convince victims the email was legitimate.
  • Raw DMARC policy adoption rose by 51%, according to the most comprehensive DMARC snapshot to date—but not all DMARC adoption was benevolent.
  • The US federal government sector led DMARC policy adoption, with a 76% DMARC reject rate.

Download your copy of the Q4 2018 Email Fraud and DMARC Adoption Trends report now to learn which brands and identities were targeted most and how DMARC authentication helps businesses protect their brands and domains.

Outbound Attack Trends

Best Defense:
The Largest Snapshot of DMARC Adoption Rates

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an open standard email authentication protocol that helps businesses protect their brands and domains from being used to send fraudulent phishing emails. In the broadest snapshot ever of 283 million Internet domains, we break down the state of DMARC implementation worldwide.

The Domain Spoofing Challenge

DMARC gives brands the ability to help email receiver systems recognize when an email isn’t coming from a specific brand’s approved domains, and gives the brand the ability to tell the email receiver systems what to do with these unauthenticated email messages. Policy settings include monitor “p=none,” instructing the email receiver system to allow the email to be delivered anyway; “p=quarantine,” which places in the email in the spam folder, and “p=reject,” which blocks the email from ever reaching the inbox. When enforcement policies are set properly, DMARC helps ensure only authorized senders can use an organization’s domain name in emails, and has been shown to drive down phishing rates impersonating brands down to near zero.

domain-dmarc-policies-q4-2019

For more information on DMARC and the benefits of adoption see: agari.com/dmarc-guide

During the analyzed period, Agari captured an unprecedented view into the state of DMARC adoption rates and enforcement policies by crawling the entire public Internet domain space representing over 283 million domains, generating a snapshot of DMARC implementation rates worldwide. Agari took a snapshot in July 2018, followed by a snapshot of the data in October 2018.

Key Findings
  • Increased Adoption: In our examination of more than 283 million domains, Agari identified 3.5 million domains with valid DMARC records in July. That count rose to 5.3 million domains in October, representing a 51.4% gain in DMARC record observances.
  • The Vast Majority of Records Belong to .coms: Internet domains tied to business and ecommerce contain DMARC records. Interesting to note that the category most associated with brand impersonation— .edu domains—have the fewest number of domains with DMARC records of all sectors.
  • Significant Growth Observed in Strongest Enforcement Setting: The bulk of the changes are generated by domains for which DMARC policies have been changed to the highest possible enforcement level, “p=reject”. This category of policies nearly tripled from under 400,000 to 1.1 million from July to October.
  • But Not All DMARC Domains Send Email: As we’ll discuss in more detail later on, none of this means that several hundred thousand emailsending domains have suddenly become more secure. On the contrary, any number of domains could have been registered in bulk and simply had reject policies assigned.

Hitting the Sweet Spot:
More Domains, Highest Enforcement Levels Win

An early avenue of investigation into our dataset was to get a read on how vendors and DMARC service providers are helping organizations use DMARC to protect their domains from email impersonation scams. The size of our dataset offers a unique view into the number of domains for which vendors have established DMARC records, as well as how many of those records have been set to the highest enforcement level of “p=reject.” This combination of data points offers a snapshot of market share and success rates for each of these vendors.

Unprecedented Insight into Vendor Standing

As a shorthand to determining a market share figure, we tabulated the number of times specific well-known DMARC implementation vendors were specified as a recipient of reporting feedback via DMARC. The “rua” field that accepts an email address to receive aggregate DMARC data reports is a good proxy for this calculation. With this email address, the DMARC vendor typically accepts, parses, and visualizes the data on behalf of the customer. We included active vendors with more than 1,000 domains reported.

The following table shows a basic ranking of top vendors, corresponding to the number of domains that specify that vendor in the rua” field. We then applied a second filter indicating the all-important percentage of domains at the highest possible DMARC enforcement policy (p=reject) for each vendor, which is the policy level that will block phishing messages.

dmarc-policy-q3-2018

Key Findings
  • Enforcement rates vary widely by vendor. Having a high enforcement rate should be a key criteria for selecting a vendor. Enterprises with hundreds or thousands of domains should consider vendors who have both high numbers of domains and enforcement rates.
  • Higher Quantities Can See Lower Enforcement Rates: Mid-tier vendors tend to struggle with the ratio of domains they service and what percentage of those records they succeed at converting to the highest enforcement policies. That’s true whether the total universe of domains they service is numerous or sparse.
  • The Goldilocks Ratio: Category-leading vendors achieve that perfect combination of a large number of domains serviced across a wide range of industries matched with high levels of top enforcement policy implementation.

Parked Domains & Look-alike Factories:
Not all DMARC Adoption Rates Are Equal

It’s important to note that not all domains with DMARC records are intended to send email and ensure an authentic stream of communications.

Agari observed many examples of dubious or tangential use of DMARC configurations, which goes a long way to explain the growth in raw policies we witnessed in Q3 2018. For example, during the course of our analysis, Agari tracked substantial movement among domain registrars or domain monetization companies which, as a matter of business process, configured DMARC records. For example, one firm, Team Internet, registered over 100,000 incremental domains over the course of the analyzed period, all of which had DMARC records. Another registrar based out of Russia, snbox.ru, registered over 300,000 new domains, all set to a p=reject policy. Many of these domains were very similar (or look-alike) domains to common and well-known brands, such as the Internet bandwidth site “speedtest” or the popular gaming site “Kongregate.” Our hypothesis is that for these domain monetization firms, it’s likely best practice to ensure that domains of this ilk do not end up on takedown sites, on IP reputation blacklists, or being used by cybercriminals in phishing scams, hence the strategy to assign a DMARC reject policy to the domain.

DMARC Global Sector Analysis:
Fortune 500

As we have done in the past, we looked at publicly available adoption data for the Fortune 500 (F500), Financial Times Stock Exchange 100 (FTSE 100), and Australian Securities Exchange 100 (ASX 100) to gauge adoption trends among prominent global organizations across geographies.

Our additional research indicates that, across the board, the largest corporations around the world have in fact made strides with email authentication. However, when considering the prevailing proportion of “no record” and “monitor-only” policies, the state of implementation is leaving their customers, business partners, and brand vulnerable to phishing and the losses associated with email fraud.

Almost 87% percent of the Fortune 500 are vulnerable to phishing, leaving their customers, employees and brand name exposed to fraud. The Fortune 500 are the largest, most well-known and most trusted companies in the United States. Unfortunately, DMARC adoption is dangerously low within the Fortune 500, enabling malicious actors to abuse that trust and leaving corporations unprepared to prevent it.

fortune-500-dmarc-q4-2019

DMARC Adoption – Almost half (49% percent) of the Fortune 500 have not published any DMARC policy. This is, however, an improvement over the previous year, in which two-thirds (67%) of the Fortune 500 had no DMARC policy

Quarantine Policy – Only five percent have implemented a Quarantine policy to send phishing emails to the spam folder.

Reject Policy – Only 8 percent have implemented a Reject policy to block phishing attempts. This is an increase of over 3 percent from the previous period.

DMARC Global Sector Analysis:
FTSE 100

The Financial Times Stock Exchange 100 Index, more commonly known as the FTSE 100, is a share index of the top 100 companies listed on the London Stock Exchange (LSE) and is seen as the ‘goto’ reference for those seeking an indication on the performance of the major companies listed in the United Kingdom.

Adopting the same methodology as referenced from the Fortune 500 analysis, it reveals that, similarly to the United States, the majority of the top 100 United Kingdom public companies do not have a DMARC record for their corporate domain. The lack of implementation of DMARC within an organization exposes the business not only to the potential for fraud but also a data breach, and all the public reputational and financial penalties that are associated with an incident, while simultaneously eroding the faith that employees and customers have in the brand.

ftse-100-dmarc-q4-2019

DMARC Adoption – Over half (56 percent) of the Financial Times Stock Exchange 100 have not published any DMARC policy, which represents an 11 percentage point increase over the previous period.

Quarantine Policy – Only one percent have implemented a Quarantine policy to send phishing attempts to spam. This percentage is unchanged from last year.

Reject Policy – Only nine percent have implemented a Reject policy to block phishing attempts.

DMARC Global Sector Analysis:
ASX 100

The ASX 100 is Australia’s stock market index, representing its top 100 large and mid-cap securities.

With just under a third of Australian businesses have taken, at a minimum, the first step in adopting DMARC to combat the threat of digital deception, it is evident that a high level of education still needs to be undertaken in this market.

australia-100-dmarc-q4-2019

DMARC Adoption – Almost two-thirds (60 percent) of the Australian Securities Exchange (ASX 100) have not published any DMARC policy.

Quarantine Policy – Only one percent have implemented a Quarantine policy.

Reject Policy – Only seven percent have implemented a Reject policy to block phishing attempts, which doesn’t amount to much increase from last year’s 3% reject rate.

Large Sector Analysis:
US Government is a Standout 

An additional avenue of analysis from an overall DMARC adoption trend perspective was to examine public DNS records for primary corporate and government website domains of large organizations with revenues above $1B.

We compared these statistics to the United States government domains, which were the subject of a high level, top-down mandate in 2017 to implement security controls, with DMARC enforcement being a key component. As the chart below shows, when viewed from a DMARC policy attainment perspective, the US Government could be the poster child for a sector-wide DMARC implementation success story. When looking at DMARC enforcement (or domain policies with a p=reject or block configuration), the US Government is the clear leader with 76% of its in-scope domains at an enforcement policy.

dmarc-policy-industries-q4-2019

The reject or enforcement policy ensures that mailbox providers block any malicious emails from spoofing an organization’s brand or domain name. It’s telling that the government’s progress far outpaces dominant business-to-consumer sectors such as retail and healthcare, for example, which depend on a trusted communication channel to their customers. The finance industry, which has the highest adoption and rejects other than the U.S government, was an early adopter of DMARC and has historically been a top target for initial phishing attacks. Yet, in only one year, driven by the BOD 18-01 mandate, the US federal government was able to far surpass all other sectors.

For more information on the BOD 18-01 and a detailed analysis of federal agency progress and policy attainment, see: agari.com/fedreport

12345
Close button
12345
Mail Letter

Would you like the confidence to trust your inbox?