Toronto, CANADA – August 24, 2023 – Proofpoint, Inc., a leading cybersecurity and compliance company, today released new research identifying that more than three in four leading Canadian energy companies (77%) are lagging behind on basic cybersecurity measures, subjecting their customers, staff and stakeholders to a higher risk of email-based impersonation attacks.

These findings are based on a Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of the 40 largest energy companies in Canada. DMARC is an email validation protocol designed to protect domain names from being misused by cybercriminals to launch phishing and email fraud attacks. It authenticates the sender's identity before allowing a message to reach its intended recipient, such as energy customers or employees. DMARC has three levels of protection – monitor, quarantine and reject¹, with reject being the most secure for preventing suspicious emails from reaching the inbox.  

Proofpoint’s research reveals only nine (23%) of Canada’s leading energy companies have implemented the strictest and recommended level of DMARC (reject), meaning 77% have not taken appropriate measures to proactively block spoofed emails from reaching recipients’ inboxes, increasing the risk of email fraud. 10 energy companies (25%) only have a monitoring policy in place for spoofed emails, thereby still allowing potentially malicious spoofed emails into the recipient’s inbox.

67% of the leading energy companies in Canada have taken the initial steps to protecting customers from email fraud by publishing a basic DMARC record. Yet, 33% have no DMARC protection in place at all and are therefore exposed to cybercriminals impersonating their domains to target customers with email fraud. 

“As the energy sector is key to both Canada’s economy and its national security, these industry organizations have become prime targets for cybercriminals,” said Jeffrey Freedman, area vice president, Canada, Proofpoint. “Due to the high value of the industry’s assets, such intellectual property, trade secrets, and vast amounts of customer data, it is critical that energy organizations prioritize cybersecurity measures to safeguard against potential cyber threats and protect their customers’ data.”

The Canadian Centre for Cyber Security recently advised that financially motivated cybercrime, particularly business email compromise (BEC) and ransomware, is the main cyber threat facing the Canadian energy industry. BEC is a form of social engineering designed to trick victims into thinking they have received a legitimate email from a senior employee within an organization requesting money or sensitive information be sent. According to Proofpoint’s 2023 State of the Phish report, 62% of Canadian organizations reported an attempted BEC attack last year.

“Email authentication protocols such as DMARC are essential in fortifying defenses against email fraud and safeguarding customers, staff and stakeholders from malicious attacks,” continued Jeffrey Freedman. “While individuals play a crucial role in defending against email fraud, their actions also present one of the biggest vulnerabilities for organizations. DMARC remains the only technology capable of not just defending against but eliminating domain spoofing and the risk of impersonation. By achieving full DMARC compliance, organizations can prevent malicious emails from reaching the inboxes and eliminate the risk of human interference.”

Best practices for customers, staff, and other stakeholders:

• Check the validity of all email communication and be aware of potentially fraudulent emails impersonating energy companies.
• Be cautious of any communication attempts that request log-in credentials or threaten to suspend service or an account if a link isn’t clicked. 
• Follow best practices when it comes to password hygiene, including using strong passwords, never re-using them across multiple accounts and using multi-factor authentication where available.

This analysis was conducted in August 2023 using data from the list of S&P's TSX Composite Energy Sector Index, comprised of the 40 largest Canadian energy organizations, as measured by total assets.

[1] Monitor (allows unqualified emails to go to the recipient's inbox or other folders), Quarantine (directs unqualified emails to go to the junk or spam folder) and Reject, the highest level of protection, (blocks unqualified emails from getting to the recipient).

###

About Proofpoint, Inc.

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber-attacks. Leading organizations of all sizes, including 85 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.

Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTube

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.

[1] Monitor (allows unqualified emails to go to the recipient's inbox or other folders), Quarantine (directs unqualified emails to go to the junk or spam folder) and Reject, the highest level of protection, (blocks unqualified emails from getting to the recipient).