One of the best ways for organisations and for local governments to keep in touch with customers and constituents is through email. Constituents have been conditioned to expect that an email from a government entity requires immediate attention, for items such as paying a fine, changing log-in details, verifying their identity, and more. And when it comes to top brands, customers might expect to hear about the latest deals or receive a shipping confirmation.
Unfortunately, Proofpoint has found that many of these entities in New Zealand have not implemented email authentication best practices and may be unknowingly exposing themselves to cybercriminals looking to manipulate users through fraudulent emails.
Proofpoint today released findings from an examination of the DMARC records of the NZX50 and 28 New Zealand government departments. Proofpoint identified that 73 percent of the NZX50 and 79 percent of New Zealand government departments have no published DMARC (Domain-based Message Authentication, Reporting & Conformance) record, making them potentially more susceptible to cybercriminals spoofing their identity and increasing the risk of email fraud targeting users. Additionally, Proofpoint found that only 8 percent of all NZX50 companies and 4 percent of New Zealand government departments have implemented the strictest and recommended level of DMARC protection, which actually blocks fraudulent emails from reaching their intended target.
What is DMARC?
DMARC is an email validation protocol designed to protect domain names from being misused by cybercriminals. It authenticates the sender’s identity before allowing the message to reach its intended designation and verifies that the purported domain of the sender has not been impersonated and relies on the established DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) standards to ensure the email is not spoofing the trusted domain.
Email remains a top communication channel for organisations and government entities alike, but it is also the leading threat vector for cybercriminals -- more than 90 percent of cyberattacks come through email. According to recent Proofpoint research, global impostor emails attempts increased more than 400% year-over-year and the use of domain spoofing in impostor emails increased 47 percentage points over Q1 to 57 percent in Q2 2019.
To defend against these threats, it is critical that New Zealand businesses and government agencies invest in a dedicated advanced email security gateway to stop threats from ever reaching employees – and provide remedies, including security awareness training, to empower users in the event they do. Deploying DMARC email authentication protocols and lookalike domain defences are an absolute must to defend against today’s people-centric attacks.