Research finds that 70% of Australia’s top retailers are not actively blocking fraudulent emails from reaching consumers

SYDNEY, Australia – 21 November 2023 – Proofpoint, Inc., a leading cybersecurity and compliance company, today released new research showing that more than two-thirds (70%) of Australia’s top 100 retailers are lagging behind on basic cybersecurity measures, leaving Australian shoppers open to email fraud this holiday shopping season, including Black Friday and Cyber Monday.

These findings are based on a Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of 100 of Australia’s top retailers. DMARC is an email validation protocol designed to protect domain names from being misused by cyber criminals. It authenticates the sender's identity before allowing a message to reach its intended destination. DMARC has three levels of protection¹ – monitor, quarantine and reject with reject being the most secure for preventing suspicious emails from reaching the inbox.

Proofpoint’s research reveals that 70% of Australia’s top retailers have not implemented the recommended and strictest level of DMARC protection, leaving these organisations open to email fraud and domain spoofing attacks. Worryingly, more than one-fifth (21%) of Australian’s top retailers have not implemented a DMARC record at all, leaving themselves wide open to email fraud and domain spoofing attacks.

Research by the Australian Retailers Association² reveals that shoppers are tipped to spend $6.36 billion across the four-day Black Friday/Cyber Monday weekend this year, up 3% from last year.  This surge in online shopping will result in an increase in email communication to and from retailers, presenting the opportunity for cyber criminals to launch sophisticated email-based attacks.

“With Black Friday and Cyber Monday sales kicking off this month, consumers are at an increased risk of falling for email-based phishing attacks. Retailers are a key target for cyber criminals due to the large of amount of highly sensitive data they store, which includes everything from a person’s identifying information like their date of birth and gender, through to their address and their bank account details. In addition, cyber criminals look to leverage key events like these sales to drive targeted attacks and capitalise on a time when guards are down and attentions are focused on grabbing bargains,” said Steve Moros, Senior Director, Advanced Technology Group, Asia Pacific and Japan at Proofpoint. “Email continues to be the vector of choice for cyber criminals and the retail industry remains a key target. We remind shoppers to check the validity of their emails and urge retailers to tighten email security ahead of the upcoming holiday shopping season.”

The full findings of Proofpoint's DMARC analysis of Australia’s top retailers show: 

• Whilst Proofpoint’s research showed that 79% of the Australia’s top retailers have adopted a DMARC protocol, only 30% are properly implementing DMARC to the recommended and highest level by blocking suspicious emails.
• 70% of Australia’s top retailers currently do not enforce the recommended strictest level of DMARC.
• More than one-fifth (21%) of Australian’s top retailers have not implemented a DMARC record at all, leaving themselves wide open to email fraud and domain spoofing attacks.
• 79% of Australia’s retailers implement some form of DMARC, yet the DMARC policy levels employed vary as follows: 
  • 30% use DMARC – Reject (the highest level of protection) 
  • 13% use DMARC – Quarantine 
  • 36% use DMARC – Monitor  

“With more and more Australians opting to spend big during these sales, it is critical that retailers fortify their defences against email fraud and safeguard customers, staff, and stakeholders from malicious attacks by implementing the highest possible DMARC protocol,” said Steve Moros, Senior Director, Advanced Technology Group, Asia Pacific and Japan at Proofpoint. “By achieving full DMARC compliance, retailers can prevent malicious emails from reaching consumers’ inboxes, safeguarding them both from a potentially catastrophic data breach.”

Proofpoint recommends consumers follow the below top tips to remain safe online while shopping this holiday season:

• Protect Your Passwords: Refrain from using the same password more than once. Employ a password manager to streamline your online experience while maintaining security. Add an extra layer of protection with multi-factor authentication.
• Beware of Imitation Sites: Be vigilant for fraudulent websites that mimic reputable brands. These copycat sites might peddle counterfeit or non-existent products, host malware, or attempt to pilfer money and credentials.
• Dodge Phishing and Smishing Threats: Stay alert to phishing emails that lead to unsafe websites designed to collect personal data, including login credentials and credit card details. Also, be wary of SMS phishing, or 'smishing,' and messages received through social media.
• Refrain from Clicking on Links: Avoid clicking on links and instead, directly type the known website address into your browser to access advertised deals. For special offer codes, enter them during the checkout process to verify their legitimacy.
• Verify Before Making a Purchase: Fraudulent advertisements, websites, and mobile apps can be deceptively convincing. Prior to downloading a new app or visiting an unfamiliar website, invest time in reading online reviews and checking for customer complaints.

Against this backdrop, Google and Yahoo! recently announced that from February 2024, they will require email authentication to be able to send messages from their platforms, signalling that important steps are being taken to prevent spam and scams. These security requirements will apply especially to accounts that send large volumes of emails per day, such as retailers, which will have to have the DMARC authentication protocol deployed, amongst other measures. Failure to comply will significantly impact the deliverability of legitimate messages to customers with Gmail and Yahoo accounts.

This analysis was conducted in November 2023 using data from the Power Retail Top 100 retailers list.

###

About Proofpoint, Inc.

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organisations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organisations of all sizes, including 85 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.

Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTube 

###

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.

¹Monitor (allows unqualified emails to go to the recipient's inbox or other folders), Quarantine (directs unqualified emails to go to the junk or spam folder) and Reject, the highest level of protection, (blocks unqualified emails from getting to the recipient).

² Australian Retailers Association: Black Friday sales tipped to buck Christmas slowdown trend