Research finds almost half of top retailers and payment gateways in the UK are not actively blocking fraudulent emails from reaching customers

London, UK – 16 November 2023 – Proofpoint, Inc., a leading cyber security and compliance company, today released research identifying that 47% of the top retailers and 45% of payment gateways in the UK are lagging behind on basic cybersecurity measures leaving customers, staff and partners open to email fraud this holiday shopping season.

The findings are based on Domain-based Message Authentication, Reporting and Conformance (DMARC) adoption analysis of the top 30 retailers and top 20 payment platforms in the UK.  DMARC[1] is an email validation protocol designed to protect domain names from being misused by cybercriminals. It authenticates the sender's identity before allowing a message to reach its intended destination. DMARC has three levels of protection – monitor, quarantine and reject,[2] with reject being the most secure for preventing suspicious emails from reaching the inbox.  

As the holiday shopping season kicks off with Black Friday and Cyber Monday later this month, and with Britons expected to spend £3 Billion during this sale period, consumers are eagerly searching for the best offers and may have their guards down. Online deal hunting inadvertently results in heightened email communication from retailers, presenting an opportunity for cybercriminals to launch phishing attacks and other fraudulent schemes, exposing users to an increased risk of falling victim to such scams.

“Email continues to be the vector of choice for cybercriminals and the retail industry remains a key target. In addition, cybercriminals will always leverage key events to drive targeted attacks using social engineering techniques such as impersonation and will capitalise on a time when guards are down, and attentions are focused on grabbing seasonal bargains. Ahead of Black Friday, shoppers must be vigilant in checking the validity of all emails and retailers must do better to ensure their customers remain safe online,” said Matt Cooke, Cybersecurity Strategist, Proofpoint.

Key findings from the research include:

Top 30 retailers in the UK:

• 90% of the UK’s top retailers have published a DMARC record. This however leaves 10% with no protection against domain impersonation and a heightened risk of email fraud for end-users.
• Despite this, only 53% of the UK’s top retailers have implemented the recommended and strictest level of DMARC protection (reject), which actively blocks fraudulent emails from reaching their intended targets, meaning 47% are leaving consumers, staff and partners open to email fraud.

Top 20 payment gateways in the UK:

• 85% of the top UK payment gateways have published a DMARC record. This however leaves 15% with no protection against domain impersonation and a heightened risk of email fraud for end-users.
• Only 55% of the UK’s top payment gateways have implemented the recommended and strictest level of DMARC protection (reject), which actively blocks fraudulent emails from reaching their intended targets, meaning 45% are leaving consumers, staff and partners open to email fraud.

“Email authentication protocols such as DMARC are essential in fortifying defences against email fraud and safeguarding customers, staff and stakeholders from malicious attacks. Think of it as the passport control of the email security world,” says Matt Cooke, Cybersecurity Strategist, Proofpoint. “While individuals play a crucial role in defending against email fraud, their actions also present one of the biggest vulnerabilities for organisations. DMARC remains the only technology capable of not just defending against but eliminating domain spoofing and the risk of impersonation. By achieving full DMARC compliance, organisations can prevent malicious emails from reaching the inboxes, thereby eliminating the risk of human interference.”

Proofpoint recommends consumers follow the below top tips to remain safe online while shopping for seasonal bargains:

• Protect Your Passwords: Refrain from using the same password more than once. Employ a password manager to streamline your online experience while maintaining security. Add an extra layer of protection with multi-factor authentication.
• Beware of Imitation Sites: Be vigilant for fraudulent websites that mimic reputable brands. These copycat sites might peddle counterfeit or non-existent products, host malware, or attempt to pilfer money and credentials.
• Dodge Phishing and Smishing Threats: Stay alert to phishing emails that lead to unsafe websites designed to collect personal data, including login credentials and credit card details. Also, be wary of SMS phishing, or 'smishing,' and messages received through social media.
• Refrain from Clicking on Links: Avoid clicking on links and instead, directly type the known website address into your browser to access advertised deals. For special offer codes, enter them during the checkout process to verify their legitimacy.
• Verify Before Making a Purchase: Fraudulent advertisements, websites, and mobile apps can be deceptively convincing. Prior to downloading a new app or visiting an unfamiliar website, invest time in reading online reviews and checking for customer complaints.

Against this backdrop, Google and Yahoo! recently announced that from February 2024, they will require email authentication to be able to send messages from their platforms, signalling that important steps are being taken to prevent spam and scams. These security requirements will apply especially to accounts that send large volumes of emails per day, such as healthcare organisations, which will have to have the DMARC authentication protocol deployed, amongst other measures. Failure to comply will significantly impact the deliverability of legitimate messages to customers with Gmail and Yahoo accounts.

To find out more about DMARC, visit https://www.proofpoint.com/uk/products/email-fraud-defence.

Methodology:

This analysis was conducted in October 2023 using data from The UK’s top 30 ecommerce retailers, Compare Best 16 Payment Gateways For UK SMEs (2023) and 10 Best Payment Gateways In UK.

About Proofpoint, Inc.

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organisations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organisations of all sizes, including 85 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available.

at www.proofpoint.com.

[1] What is DMARC?

[2] Monitor (allows unqualified emails to go to the recipient's inbox or other folders), Quarantine (directs unqualified emails to go to the junk or spam folder) and Reject, the highest level of protection, (blocks unqualified emails from getting to the recipient).