Research by email security provider SMX has shown that New Zealand businesses and government agencies remain vulnerable
to email attacks using spoofed email addresses thanks to the low uptake or incorrect implementation of DMARC
(Domain-based Message Authentication Reporting and Conformance).
As modern email gateway solutions have tackled the bulk of malicious emails, cyber criminals have become more
sophisticated in their approaches, marrying clever facsimiles of genuine emails with domain spoofing so that the email
appears to originate from the business or individual it claims to represent. Even users aware of email security issues
can be fooled by the appearance of a legitimate sender address, leading the victim to either click on a malicious
attachment or respond to the request contained within.
According to CERT NZ, financial losses due to scam and fraud totalled $14.5 million in 2019, with 87% of that being due
to email fraud. There was a 25% increase in phishing and credential harvesting incidents compared to 2018. Ransomware
attacks, which are typically launched via email, are particularly threatening, with CERT NZ reporting last year that 70%
of the ransomware attacks reported to the agency since it was set up led to some form of loss for the victim. Apart from
the financial losses, organisations exposed user data and suffered reputational damage as a result.
A key part of the solution to this problem has existed since 2015. DMARC, when properly implemented, filters incoming
email and verifies whether an email was sent by the purported sender. The result is that no matter how well constructed
the impersonation of a company or individual is, the email filtering program is able to detect and reject the malicious
email.
SMX co-founder and email evangelist, Thom Hooker, says that despite the security advantage DMARC offers, uptake of it
remains low across both business and government in New Zealand.
“We recently surveyed organisations utilising DMARC across the region. We found that while one third of the top 100 New
Zealand companies have some form of DMARC record many of those were either still at the experimental phase or even worse
had misconfigured records. Only 8% could be said to have a solid DMARC implementation.”
“The story within government agencies, where a huge amount of personal and business data resides, was worse. We looked
at the DNS records of all 372 NZ government agencies. While we found 74 agencies have some form of DMARC record we saw
large numbers of misconfigured or invalid records amongst them. Of the 74 agencies with some form of DMARC only 12 are
configured to reject email, with another five configured to quarantine emails that breach their policy.”
“Australian Federal agencies are only slightly ahead of New Zealand. Of 187 agencies 103 have some form of DMARC record
although only 32 (17%) have a record in enforcement mode (with most set to reject and there aren’t misconfigured
records). 71 (37%) have DMARC but are effectively taking no action (including no reporting) while 84 (44%) have no
record at all.”
Hooker says this poor DMARC uptake continues to put businesses and individuals at risk of financial or data loss while
government agencies run the risk of exposing personal data due to a privacy breach originating from an email scam.
“Given how much personal data is stored digitally with government agencies, each agency has a duty to take all
appropriate measures to protect that data. Our research shows that while a small number of government agencies clearly
understand the risks and have implemented DMARC, many either do not or have been slow in adopting DMARC.”
“I think part of the problem is that people assume email is insecure and that there isn’t a way they can stop this type
of spoofing attack beyond good vigilance and standard email filtering tools. But DMARC fundamentally changes that
situation, providing organisations with a technical solution that lets them establish the legitimacy of an email beyond
doubt and reject or quarantine accordingly.”
“The other issue is that many of those who have gone down the DMARC path have either failed to implement it fully or
have made mistakes in doing so, both of which can lead them to underestimate the value it provides. There clearly is a
need for more education in the market.”
Hooker says DMARC should be a de facto part of any organisation’s security approach and its global uptake is vital to
helping fight email-based cyber threats.
“Email has been around for 40 years and despite various attempts to replace it, it’s unlikely to go away any time soon.
It has become a more sophisticated tool as it’s evolved to meet changing demands and DMARC is one of the most
significant evolutions in that history. It’s time more organisations made use of it to protect themselves and their
customers.”