More than half of online retailers in the U.S. are not actively blocking fraudulent emails from reaching consumers

SUNNYVALE, Calif. – November 20, 2023 – With days to go until the start of the Black Friday and Cyber Monday shopping period, Proofpoint, a leading cybersecurity and compliance company, today released new research revealing more than half (52%) of the top 50 online retailers in the United States are not taking appropriate measures to protect consumers from potential email fraud and cybercrime.

Experts are anticipating a record-breaking holiday shopping season this year, with forecasted retail sales estimated between $957.3 billion and $966.6 billion. A recent survey from the National Retail Federation (NRF) found consumers plan to spend $875 on core holiday items including gifts, decorations, food and other holiday-related purchases this year.

Proofpoint’s analysis of the top 50 retailers according to the NRF and their adoption of DMARC, a widely-used authentication protocol that helps guarantee the identity of email communications and protects website domain names from being spoofed and misused, has found:

• Less than half (48%) of online retailers in the U.S. have implemented the highest level of protection to reject suspicious emails from reaching consumers’ inboxes, meaning 52% of online retailers are not actively blocking fraudulent emails from reaching consumers.
• More than one in 10 (12%) have no DMARC record in place at all
• 26% have implemented a monitor policy, meaning unqualified emails can still arrive in the recipient’s inbox; and only 14% have implemented a quarantine policy to direct unqualified emails to spam/junk folders.

“The influx of emails from brands offering great deals during the Black Friday and Cyber Monday shopping period makes it an opportune time for cyber criminals to capitalize on the spike in email traffic and target shoppers with creative and convincing lures and scams,” said Robert Holmes, group vice president and general manager of Proofpoint’s Sender Security and Authentication business. “As consumers search the internet and check their inboxes for the latest shopping bargains, it's important to remain vigilant and practice safe online shopping. Remember that even on Black Friday and Cyber Monday, if it seems to be too good to be true, it probably is!”

Email is a widely used marketing tool and a popular channel for cyber criminals to leverage to conduct large-scale phishing campaigns to steal personal information or credit card details that can then be used to engage in identity and financial fraud. DMARC is widely viewed as best-practice in preventing suspicious emails from reaching the inbox, yet more than one in ten leading online retailers aren’t protected, allowing malicious actors to impersonate their brand by delivering malicious emails to consumers’ inboxes.

DMARC (Domain-based Message Authentication, Reporting and Conformance) authenticates an email sender’s identity before allowing a message to reach its intended destination, ensuring the sender is who it says it is to prevent cybercriminals from impersonating a trusted company or brand.

Against this backdrop, Google and Yahoo! recently announced that beginning in February 2024, email DMARC authentication will be required to send messages from their platforms, signaling that critical steps are being taken to prevent spam and scams. These security requirements will apply especially to accounts that send large volumes of emails per day, such as retailers, which will need to have the DMARC authentication protocol deployed. Failure to comply will significantly impact the deliverability of legitimate messages to customers with Gmail and Yahoo! accounts.

“Our 2023 State of the Phish Report revealed that more than a third of Americans think an email is safe if it merely includes familiar branding,” added Holmes. “We encourage shoppers to take extra care this holiday season, avoid clicking on suspicious links in emails and ensure they transact on verified websites. We also encourage consumers to make sure they are doing their due diligence when shopping—not just during Black Friday and Cyber Monday, but whenever they’re spending money and providing personal and financial information online.”

Proofpoint’s tips to stay safe when shopping for seasonal bargains this holiday season:

• Use Multifactor Authentication (MFA) or a Password Manager: MFA and password managers were invented because passwords and usernames are often easy to guess or steal. Employing MFA and a password manager streamlines your online experience while helping to secure your online accounts.

• Beware of Imitation Sites: Be vigilant for fraudulent websites that mimic reputable brands. These copycat sites might peddle counterfeit or non-existent products, host malware, or attempt to pilfer money and credentials.

• Dodge Phishing and Smishing Threats: Stay alert to phishing emails that lead to unsafe websites designed to collect personal data, including login credentials and credit card details. Also, be wary of SMS phishing, or 'smishing,' and messages received through social media.

• Refrain from Clicking on Links: Avoid clicking on links and instead, directly type the known website address into your browser to access advertised deals. For special offer codes, enter them during the checkout process to verify their legitimacy.

• Verify Before Making a Purchase: Fraudulent advertisements, websites, and mobile apps can be deceptively convincing. Prior to downloading a new app or visiting an unfamiliar website, invest time in reading online reviews and checking for customer complaints.

To find out more about DMARC, visit https://www.proofpoint.com/us/products/email-fraud-defense.

Methodology: This analysis was conducted in October 2023 using data from the National Retail Federation's Top 100 Retailers 2023 List. 

# # #

About Proofpoint, Inc.

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including 85 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.

Connect with Proofpoint: X | LinkedIn | Facebook | YouTube 

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.