Lack of DMARC protocol weakens already fragile e-mail security
Despite the prevalence of the business e-mail compromise (BEC) threat to cyber security, research by global e-mail delivery management specialist SendLayer confirms that a large number of organisations have not applied the Domain-based Message Authentication, Reporting, Conformance (DMARC) e-mail authentication protocol.
DMARC is used to define how receiving servers should handle e-mails that claim to have been sent from their domain. E-mail solution and delivery management specialists consider it to be a must-have in efforts to curb BEC and other e-mail borne threats including phishing and scamming.
At the 2023 ITWeb Security Summit, cyber security experts listed BEC, phishing and deepfakes as dominant threats in Africa’s cyber threat landscape.
This is backed up by the findings of extensive market research by several cyber security firms.
For example. in February 2023, Trellix released findings of its Threat Report which found that 78% of BEC involved fake CEO e-mails using common phrases. This was a 64% increase from Q3 to Q4 2022. Tactics included asking employees to confirm their direct phone number to execute a voice-phishing, or vishing, scheme. More than 80% were sent using free e-mail services, meaning threat actors need no special infrastructure to execute their campaigns.
According to Microsoft Threat Intelligence, between April 2022 and April 2023, it detected and investigated 35 million BEC attempts and an average 156 000 attempts daily.
In July 2022 Kaspersky research found that over 35% of South Africans faced phishing scams when using online banking or mobile wallet services.
Lack of DMARC
Research by SendLayer into the e-mail security protocols of almost 190 000 organisations found that a large number have not applied DMARC.
The company says there are three types of DMARC policy options that a domain can choose from:
1. ‘reject‘ questionable messages (meaning they simply won’t reach the recipient’s mailbox at all);
2. ‘quarantine‘ them (meaning the messages are sent to the spam folder)
3. ‘none‘ (meaning no action is taken to block unauthorised emails).
Taking no action leaves the recipient vulnerable to phishing attacks, says Kyler Patterson from SendLayer.
Research found that 41% of the domains from the banking sector had no DMARC protocols set up. Other industries fared even worse, with 91% of the domains from the graphic design sector lacking DMARC. As many as 66% of the largest global companies from various industries had domains with no DMARC protection.
Overall, only 35% of the domains attached to government organisations from 198 countries had DMARC enabled, “…. leaving the vast majority of citizens vulnerable to e-mail fraud,” Patterson adds.
As to why DMARC is not more vigorously implemented, Patterson explains that strict enforcement requires identifying all the legitimate sources of e-mail using a return address domain and navigating all the elements of DMARC setup is time and labour intensive.
“Large, decentralised organisations (e.g. many large universities or companies), will often have organisational units which acquire third-party services involving e-mail, like e-mail marketing tools, without telling central IT. If DMARC is not set up carefully, legitimate e-mails might not get through, which may weigh heavily in the cost-benefit calculation for organisations. Figuring all this out and putting policies and procedures in place to prevent it is more work than many administrators have time for.”
South Africa performs
Patterson says while South Africa still has work to do, it is comparatively stronger when it comes to DMARC protection.
“We looked at 2 372 South African company domains. 64% of the large companies in South Africa (i.e. largest by employee count) from various industries had domains with no DMARC protection. However, South African companies are outliers in Africa as they perform better on average on DMARC coverage than Germany, Spain, and Saudi Arabia, for instance,”
Patterson says for businesses in emerging markets like Africa, addressing security issues (including missing DMARC) is crucial.
“Implementing DMARC and educating employees about e-mail security best practices are key steps. Enabling two-factor authentication, regularly updating software, and engaging with local cyber security communities can further enhance security measures. Partnering with trusted security service providers and fostering a security-conscious culture are recommended.”