Even as consumers preference for online shopping continues to grow and email continues its reign as one of the top marketing channels, internet retailers aren't keeping up with necessary consumer safety measures. A report released by 250ok reveals 71 percent of internet retailer domains analyzed have no domain-based message authentication, reporting and conformance (DMARC) policy in place, leaving customer data vulnerable to phishing attacks.
What’s the Trouble With Email?
Email remains one of cybersecurity’s biggest problems. According to Verizon's 2018 Breach Investigations report, more than 92 percent of malware attacks originated in an email link. IT decision makers should take notice, as 56 percent of those surveyed identified targeted phishing attacks as their biggest security threat.
Despite this, the Global DMARC Adoption 2019 report reveals a troubling truth: retailers are doing a poor job of protecting consumers from phishing threats. The report analyzed domains across the e-commerce sector to see whether the organization or organizational domain, excluding any subdomains, implement any level of DMARC policy from none (good), quarantine (better), or reject (best). While retailer adoption is on the rise, there’s still a long way to go toward effectively protecting the interests of consumers.
DMARC is the industry standard for email authentication, used to protect consumers against attacks in which malicious third parties send harmful messages using a counterfeit email address. Retailers that implemented DMARC have seen improved delivery metrics while also lowering the likelihood of their domains being spoofed and used for phishing attacks on email recipients. Domains without a DMARC policy leave recipients, and in the retailer’s case, customers, vulnerable to possible phishing attacks.
A study from the Anti-Phishing Working Group reported a decline in reported phishing attacks during last year's fourth quarter. However, upon closer inspection, we discover this isn’t due to fewer attacks. Phishing is just becoming harder to detect, thanks to new tactics like multiple redirects and valid security certificates. Internet retailers must become more vigilant in adding security measures like DMARC to quell phishing attacks.
Phishing and spoofing attacks occur more frequently when companies don't have published sender policy framework (SPF), DomainKeys Identified Mail (DKIM) and DMARC policies in place.
Are We There Yet?
DMARC adoption is progressing, but it still has a long way to go. Compared to 2018, European and U.S. retailers increased DMARC adoption by 14.8 percent and 12.5 percent, respectively. Overall, internet retailers have greater DMARC adoption for their corporate or brand domains when compared to global averages. This upward progress shows a general maturity of the DMARC standard and a growing understanding of how critical authentication is for protecting a brand, its customers, and its employees.
Given the information available about the risks associated with leaving domains unprotected, it's shocking the number of retailers that still don't understand the importance of DMARC. Until we reach the point where mailbox providers require proper authentication on all emails, including DMARC implementation, all internet retailers must take the steps necessary to keep their customers and employees safe from phishing.
Matthew Vernhout is the director of privacy at 250ok, an email analytics and deliverability platform.