Cybersecurity for Federal Government Agencies

Security Brief: More than 80% of State Governments and Health Departments Exposed to Email Fraud Risk

Share with your network!

During the COVID-19 pandemic, states are on the front line as they work to ensure the safety of their constituents and communities. Unfortunately, many state governments and health departments have not implemented email authentication best practices and may be unknowingly exposing themselves to cybercriminals looking to capitalize on the pandemic and potentially trick individuals with fraudulent emails.

In an examination of U.S. state governments and health departments, Proofpoint uncovered that 44 percent of these entities do not have a published DMARC (Domain-based Message Authentication, Reporting & Conformance) record, making them potentially more susceptible to cybercriminals spoofing their identity and increasing the risk of email fraud targeting users.

Further, 92 percent of all state governments and 88 percent of state health departments have not implemented the strictest and recommended level of DMARC protection. That setting and policy is known as “Reject” and actually blocks fraudulent emails from reaching their intended target. This figure includes 10 states that do not have a standalone health department site (separate from the state’s master .gov site).

DMARC, which is an email validation protocol designed to protect domain names from being misused by cybercriminals, authenticates the sender’s identity before allowing the message to reach its intended designation. It verifies that the purported domain of the sender has not been impersonated and relies on the established DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) standards to ensure the email is not spoofing the trusted domain.

State governments and health departments are in constant contact with constituents as they share updates around the progression of the virus and statewide shelter-in-place orders and other measures. At the same time, cybercriminals are carefully following each new COVID-19 development and launching attacks that are social engineering at scale based on fear. They know people are looking for information around this out of concern for their safety and are more likely to click on potentially malicious links or download attachments.

Proofpoint has identified more than 300 COVID-19 themed scams to date, accounting for more than 500,000 messages, 300,000 malicious URLs, and 200,000 malicious attachments. Cybercriminals regularly use domain spoofing to pose as trusted entities and take advantage of weaknesses in email protocols to send a message under a supposedly legitimate sender address. This makes it difficult for an ordinary Internet user to identify a fake sender.

It is critically important that the communication methods used by each state is secure. Effective security requires a people-centric approach that caters to the most attacked and vulnerable individuals. We recommend implementing robust email defences and inbound threat blocking capabilities (including deploying DMARC email authentication protocols), combined with cybersecurity awareness programs that train users to spot and report malicious emails.

For more information on DMARC, email fraud, and Proofpoint’s email security solutions, please visit: And for more information on how to get started with DMARC, please visit: