Why Full DMARC Protection is a Pressing Business Imperative in 2020 and Beyond

This story first appeared on the Agari Email Security Blog.

By Armen Najarian, Chief Identity Officer, Agari

If you haven’t deployed Domain-based Messaging Authentication, Reporting, and Conformance (DMARC) to protect your brand from being impersonated in phishing scams, there are pressing reasons to jump on it now.

Without a doubt, these are extraordinary times for individuals and organizations alike as we’ve been forced to change the way we work, shop, play, and live seemingly overnight, and for far longer than most imagined. But assuming that cybercriminals have been waiting around for you to catch your breath is wishful thinking.

Today, stressed out consumers are being targeted in record numbers of phishing emails that masquerade as messages from well-known brands. With as many as 75 million corporate employees still working from home, it’s just a matter of time before one of them initiates payment on a fraudulent invoice, or falls for a phony account alert, in response to emails that appear to come from a brand or colleague they trust.

Get impersonated, and both your organization and brand could be in for a world of hurt. Take for example, a Fortune 100 Software company where the CSO’s name and corporate email address were commandeered in a scam involving 40,000 bogus email messages.

Your business reputation tarnished in an instant, relationships strained, and even lawsuits filed. And negative news reports amplified in social media could render your legitimate, revenue-generating email campaigns DOA. All at the worst time possible.

Over the last four years, phishing and BEC have led to more than $26 billion in direct financial losses worldwide. But today, four new trends are adding a whole new level of urgency for authenticating outgoing email with DMARC.

#1 Digital Transformation Has Left You Open to Attack

Shoving 10 years of digital transformation into six short months is no easy feat, but that’s what has seemed to have happened so far in 2020. With offices shuttered, entire workforces at home, and demand for mobile-first experiences at the fore, it’s easy to see how operational priorities could put DMARC on the back burner. But that probably is not a smart move.

For those not yet familiar with the term, DMARC is a standard email authentication protocol that, when fully implemented, stops fraudsters from pirating an organization’s domains to launch phishing-based brand impersonation scams.

Still 80% of Fortune 500 companies remain vulnerable to impersonations that put their customers, partners and the general public at risk. And it shows. Thirty-one percent of US consumers report being hit by phishing attacks during the last four months.

And while 2019 was the worst year on record for advanced email attacks targeting businesses, the FBI reported this year’s volume of phishing emails and business email compromise (BEC) scams exceeded all of 2019 way back in May. As our data shows, brands are impersonated in 66% of such attacks.

#2 Delaying DMARC Makes You a Preferred Target

Failure to deploy DMARC across all your corporate domains isn’t just asking for trouble anymore. Now, it can put you at the top of the target list.

At its most essential, DMARC enables email receiver systems to recognize when an email isn’t coming from a specific brand’s authenticated senders, and gives email messaging administrators the ability to tell receiver systems what to do with these unauthorized email messages. At full enforcement, email messages that do not pass DMARC authentication are blocked from ever reaching their intended recipients.

Sophisticated email threat actors have noticed. In recent months, the Agari Cyber Intelligence Division (ACID) was the first to identify an Eastern European phishing ring it calls Cosmic Lynx that specifically factors a company’s level of DMARC adoption, or lack thereof, into its plans to impersonate corporate executives in email schemes.

If a targeted company hasn’t implemented DMARC, or doesn’t have its DMARC policies set to quarantine or reject, Cosmic Lynx will directly spoof the CEO’s email address in order to correspond with recipients it hopes to victimize through impersonation. If DMARC is properly deployed, they use lookalike domains to try to pull off the ruse, or move on to other targets. This is why Agari solutions provide lookalike domain protection.

#3 Your Entire Supply Chain is at Risk

These B2B brand impersonations aren’t just one-offs anymore, either. Some email crime rings impersonate senior executives to fool accounting staffers into sending them financial aging reports, which are then used to target dozens or even hundreds of the company’s customers requesting payment on legitimate past-due invoices.

The social engineering tactics employed in this scheme can be crushingly effective. Emails sent to companies throughout the extended supply chain include legitimate transaction details that presumably could only be known by the supplier being impersonated.

This and the fact that the request for payment involves invoices that are overdue creates enough urgency to distract recipients into complying with a request to change payment details to a new bank account (controlled by the fraud ring) without question. According to the FBI, it’s worth the effort. While a traditional BEC scam may net cybercriminals an average of $60,000, those that involve supply chain imposters average $125,000.

#4 Case Law and Industry Regulations Put You On the Hook

If lost business, reputational damage, and direct financial theft aren’t enough to dial-up DMARC to the top of your Do-Now list, how about some hefty regulatory fines?

Email security is a major factor in the California Consumer Privacy Act (CCPA) enacted this year, as well as in GDPR, Regulation S-P and a growing number of regulatory mandates in virtually every industry and region. Companies can face major sanctions if they fail to adequately protect consumer data or assets from, among many other things, fraudsters posting as colleagues or customers.

According to Verizon’s 2020 Data Breach Investigations Report, email impersonations are implicated in 7 of 10 corporate data breaches. And emerging case law has held that the party who is in the weakest position to prevent impersonations in fraudulent financial transactions should bear the loss.

In both instances, failure to properly implement DMARC could land your brand in serious legal and regulatory jeopardy. The CCPA, for instance, levies $2,500 for each violation of compliance mandates not rectified within 30 days. Not just the specific violation, mind you. It’s $2,500 for each person whose data is stolen in an individual violation.

DMARC Made Easy

While deploying DMARC on a small scale (e.g., single domain) is relatively simple, implementing it at scale can get very complicated, very fast.

That’s why I’m such a believer in Agari Brand Protection™, which has been shown to drive phishing-based brand impersonations to near zero almost instantly. We pioneered DMARC deployments for the enterprise, making implementation fast and scalable — even across thousands of sending domains. In fact, more than 40% of the Global 2000 rely on our solutions and know-how to reach maximum DMARC enforcement efficiently.

With brands facing new and rapidly evolving phishing and BEC attacks many large organizations need help scaling DMARC across the enterprise. Knowing where you are in this journey, what your goals should be, and how to track and report progress to benchmarks makes all the difference in getting to full DMARC enforcement quickly. This is why we’ve developed the DMARC Readiness Blueprint.

To get one tailored to your business, visit DMARCable.io.