Latest news with #Domain-basedMessageAuthentication
Techday NZ
2 days ago
- Business
- Techday NZ
Most high-traffic email domains still vulnerable to phishing
New research from EasyDMARC has found that 92% of the world's top 1.8 million email domains lack adequate protection against phishing attacks. The EasyDMARC 2025 DMARC Adoption Report has revealed that only 7.7% of these domains are fully protected using the strictest DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy, known as 'p=reject'. This policy is designed to actively block malicious emails from being delivered to inboxes. DMARC is an email authentication protocol that builds on existing standards such as SPF and DKIM, allowing domain owners to specify how they want mail servers to handle emails that fail authentication checks. The protocol also enables domain owners to receive reports on emails sent under their domain name, providing vital records of authentication attempts and potential abuse. EasyDMARC's analysis demonstrates that although there has been a noticeable increase in DMARC adoption since 2023 — largely due to regulatory initiatives and mandates from major providers including Google, Yahoo, and Microsoft — most organisations opt for the weakest available configuration, 'p=none'. This setting only monitors for threats, rather than thwarting attacks by blocking illegitimate emails. The report, which reviewed security practices across the most-visited websites globally as well as Fortune 500 and Inc. 5000 companies, shows a continued gap between DMARC adoption and meaningful implementation. More than half (52.2%) of the surveyed domains have not implemented DMARC at any level, leaving them exposed to phishing and spoofing risks. Among domains that do have a DMARC record, most have not configured enforcement policies or reporting mechanisms necessary for full protection. The research also found that over 40% of the domains with a DMARC record did not include any reporting tags. This omission means these organisations have little to no visibility into authentication failures or an understanding of who might be sending emails on their behalf. Gerasim Hovhannisyan, Chief Executive Officer of EasyDMARC, addressed the misconception surrounding DMARC adoption: "There's a growing perception that simply publishing a DMARC record is enough. But adoption without enforcement creates a dangerous illusion of security. In reality, most organisations are leaving the door wide open to attacks targeting customers, partners, or even employees." Mandates have had a measurable effect. In the United States, where regulatory enforcement is strong, the proportion of phishing emails accepted dropped from 68.8% in 2023 to just 14.2% in 2025. Similar progress was noted in the UK and the Czech Republic, countries that also enforce DMARC usage. However, countries without strict requirements, such as the Netherlands and Qatar, showed minimal improvement in reducing phishing acceptance rates. Recent high-profile cyber attacks, including those targeting retailers such as M&S and Co-op, serve as a backdrop for the report's release. In these incidents, attackers exploited weaknesses in email security through social engineering, costing affected businesses hundreds of thousands in losses. According to EasyDMARC, the increasing sophistication of phishing, partly driven by the use of AI, magnifies the risks for organisations that are inadequately protected. Hovhannisyan further commented: "Misconfigurations, missing reporting, and passive DMARC policies are like installing a security system without ever turning it on. Phishing remains one of the oldest and most effective forms of cyberattack, and without proper enforcement, organisations are effectively handing attackers the keys to their business. As threats grow more sophisticated and compliance pressures mount, stopping halfway with DMARC enforcement is no longer an option." The report methodology combined public DNS data with proprietary data collected through EasyDMARC's platform. It involved the review of aggregate DMARC reports from major mailbox providers and included a survey of 980 IT professionals across the United States, United Kingdom, Canada, and the Netherlands. This allowed for insights into regional differences in phishing trends, adoption challenges, and the varying influence of regulatory mandates. The research concludes that while DMARC adoption has increased, genuine protection against phishing relies on both enforcement and visibility — elements still missing for the vast majority of high-traffic domains worldwide.
Techday NZ
29-04-2025
- Business
- Techday NZ
Barracuda: One in five firms faces monthly email account attacks
Barracuda has published its 2025 Email Threats Report, detailing the current state of email-based risks facing organisations worldwide. The report, based on Barracuda's threat detection data, reveals that attackers are increasingly moving malicious links and content into email attachments, aiming to bypass detection by conventional security tools. The report stresses the importance of implementing advanced AI-based threat detection to identify these concealed threats. According to the research, as many as 20% of organisations faced at least one attempted or successful account takeover incident per month. Attackers typically sought access through phishing, credential stuffing, or exploiting weak and reused passwords. Once they have unauthorised access, attackers can steal sensitive data, navigate laterally within an organisation, and disseminate phishing emails from what appear to be trusted sources. The report states that 23% of HTML attachments are malicious, designating them as the most weaponised type of text file. Indeed, more than three-quarters of all malicious files detected during the research period were HTML files. Despite their legitimate use for sharing content such as newsletters or invitations, these attachments have become a favoured vehicle for cyber attackers. Furthermore, 68% of malicious PDF attachments and 83% of malicious Microsoft documents contain QR codes designed to redirect users to phishing websites. Among malicious PDF attachments, 12% are linked to Bitcoin sextortion scams, adding another layer to the evolving tactics adopted by cyber criminals. Nearly half (47%) of email domains analysed in the report do not have Domain-based Message Authentication, Reporting and Conformance (DMARC) set up. Without DMARC, organisations are left more vulnerable to spoofing and impersonation attacks, where cyber criminals exploit the brand's identity to carry out fraudulent activity. The report also shows that unwanted or malicious spam has risen to account for 24% of all email traffic, underlining the sheer scale of the challenge for IT departments attempting to manage and secure email communications. Olesia Klevchuk, Product Marketing Director, Email Protection at Barracuda, commented on the findings: "Email remains the most common attack vector for cyberthreats because it provides an easy entry point into corporate networks. Malicious email attachments, QR codes and URLs are used by attackers to distribute malware, launch phishing campaigns and exploit vulnerabilities. Many organisations increase their risk level by failing to implement DMARC, making it possible for attackers to impersonate their brand and implement fraudulent attacks. Organisations need to mitigate the risks by implementing best practice industry standards and adopting a multi-layered approach to email security, leveraging AI-driven threat detection to spot attacks hidden in attachments and malicious websites." The 2025 Email Threats Report by Barracuda collates proprietary research from February 2025, during which nearly 670 million malicious, spam or unwanted emails were analysed. This extensive data informed the key findings and recommendations described in the report.
Associated Press
21-02-2025
- Business
- Associated Press
Proofpoint: 88% of Top Organisations in Asia Pacific Still Put Their Customers and Stakeholders at Risk of Email Fraud as Businesses Face Record-High Email Attacks
Protective measures against email fraud remain widely insufficient among leading Asia Pacific companies. Australia's high adoption rate of proper email authentication (71%) among its top companies sets the standard for the Asia Pacific region Around 50% of leading Singapore and India's businesses have implemented the recommended level of email authentication Concerningly, less than 20% of the largest organisations in Japan, South Korea, China and Thailand are actively protecting their customers against phishing SINGAPORE - Media OutReach Newswire - 21 February 2025 - Proofpoint, Inc., a leading cybersecurity and compliance company, today released new research on a worrying gap among top organisations across the Asia Pacific with only 12% having implemented the recommended and most stringent level of email authentication. In 2024, phishing attacks surged significantly, increasing nearly 60% year-over-year. This dramatic increase underscores the critical need for proper implementation of email authentication, which prevents cyber criminals from spoofing organisations' identities thus reducing the risk of email fraud. These findings are based on an analysis of the Domain-based Message Authentication, Reporting and Conformance (DMARC), a widely-adopted email validation protocol records of Asia Pacific companies listed on the Forbes Global 2000. DMARC protects domain names from being misused by malicious actors by authenticating the sender's identity before an email reaches its intended destination. This authentication system detects and prevents domain spoofing, a common phishing technique. DMARC has three levels of protection – monitor, quarantine, and reject, with reject being the most secure for preventing suspicious emails from reaching users' inboxes. 'Email remains the most common and critical threat vector across industries. It's encouraging that many leading companies in Asia Pacific have taken proactive steps to protect their customers from email fraud,' said George Lee, Senior Vice President of Asia Pacific and Japan at Proofpoint. 'However, the rising frequency, sophistication, and cost of cyberattacks make it especially concerning that many remain highly vulnerable, exposing them to significant risks from malicious email-based threats such as phishing. Prioritising robust cybersecurity measures is essential to safeguard against these threats and protect customers' valuable data.' Proofpoint's research shows that DMARC adoption in the Asia Pacific region is mostly lower compared to the US and UK, placing organisations and their customers at risk. While Australia leads in email authentication DMARC enforcement, Japan, South Korea and Thailand lag, leaving businesses exposed to escalating email fraud, including business email compromise (BEC) and phishing. Key findings of Proofpoint's DMARC analysis across key Asia Pacific markets include: Major Providers and Compliance Mandates Push for DMARC Adoption Major email providers are making moves to force companies to catch up and use email authentication. Some highly-publicised examples include the October 2023 announcements from Google, Yahoo and Apple around mandatory email authentication requirements (including DMARC) for bulk senders sending emails to Gmail, Yahoo and iCloud accounts. This aims to significantly reduce spam and fraudulent emails hitting their customers' inboxes. In addition, organisations that store consumer payment information must comply with the Payment Card Industry Data Security Standard (PCI-DSS) or risk paying hefty fines for violations. The latest PCI DSS (v4.0.1) will require companies to use DMARC to protect credit card data by March 31, 2025. Proofpoint recommends that organisations follow these best practices: Implement DMARC: Protect your domain from impersonation by implementing DMARC and enforcing it at the reject level. Seek expert assistance if needed to avoid blocking legitimate emails. Educate employees: Train staff on how to identify and avoid potentially fraudulent or suspicious emails, such as those impersonating colleagues, suppliers, or customers. Strengthen passwords: Establish and enforce best practices for password management, including requiring strong passwords, regular changes, and never re-using passwords across multiple accounts. This analysis was conducted in December 2024 using data from companies listed on Forbes Global 2000. To learn more about DMARC, visit: Hashtag: #Proofpoint The issuer is solely responsible for the content of this announcement. About Proofpoint, Inc. Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organisations' greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organisations of all sizes, including 85 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at
Zawya
21-02-2025
- Business
- Zawya
Proofpoint: 88% of Top Organisations in Asia Pacific Still Put Their Customers and Stakeholders at Risk of Email Fraud as Businesses Face Record-High Email Attacks
Protective measures against email fraud remain widely insufficient among leading Asia Pacific companies. Australia's high adoption rate of proper email authentication (71%) among its top companies sets the standard for the Asia Pacific region Around 50% of leading Singapore and India's businesses have implemented the recommended level of email authentication Concerningly, less than 20% of the largest organisations in Japan, South Korea, China and Thailand are actively protecting their customers against phishing SINGAPORE - Media OutReach Newswire - 21 February 2025 - Proofpoint, Inc., a leading cybersecurity and compliance company, today released new research on a worrying gap among top organisations across the Asia Pacific with only 12% having implemented the recommended and most stringent level of email authentication. In 2024, phishing attacks surged significantly, increasing nearly 60% year-over-year. This dramatic increase underscores the critical need for proper implementation of email authentication, which prevents cyber criminals from spoofing organisations' identities thus reducing the risk of email fraud. These findings are based on an analysis of the Domain-based Message Authentication, Reporting and Conformance (DMARC), a widely-adopted email validation protocol records of Asia Pacific companies listed on the Forbes Global 2000. DMARC protects domain names from being misused by malicious actors by authenticating the sender's identity before an email reaches its intended destination. This authentication system detects and prevents domain spoofing, a common phishing technique. DMARC has three levels of protection – monitor, quarantine, and reject, with reject being the most secure for preventing suspicious emails from reaching users' inboxes. "Email remains the most common and critical threat vector across industries. It's encouraging that many leading companies in Asia Pacific have taken proactive steps to protect their customers from email fraud,' said George Lee, Senior Vice President of Asia Pacific and Japan at Proofpoint. 'However, the rising frequency, sophistication, and cost of cyberattacks make it especially concerning that many remain highly vulnerable, exposing them to significant risks from malicious email-based threats such as phishing. Prioritising robust cybersecurity measures is essential to safeguard against these threats and protect customers' valuable data.' Proofpoint's research shows that DMARC adoption in the Asia Pacific region is mostly lower compared to the US and UK, placing organisations and their customers at risk. While Australia leads in email authentication DMARC enforcement, Japan, South Korea and Thailand lag, leaving businesses exposed to escalating email fraud, including business email compromise (BEC) and phishing. Key findings of Proofpoint's DMARC analysis across key Asia Pacific markets include: Australia: 71% of the top Australian companies have implemented DMARC at the recommended levels (reject). All the top Australian companies being studied have a DMARC record. Singapore: 46.2% of companies analysed have DMARC set to reject. Yet 23.1% do not have any DMARC record and are wide open to email fraud and domain spoofing attacks. India: 50% of the top Indian organisations implemented the highest level of DMARC (reject), with 30.9% utilising quarantine and 11.8% having no DMARC record at all. Japan: Only 7.4% of top Japanese companies have a DMARC policy of reject in place. 65.6% of companies are at the monitor level, gathering data but offering no active protection South Korea: Only 1.8% have implemented DMARC at the quarantine level with none at the reject level, and 51.8% having no DMARC record at all. Thailand: 17.6% have a reject policy in place to block unqualified emails, while 17.6% of companies implemented quarantine and 52.9% at the monitor level still. China: Only 4.2% of top Chinese companies have the strictest level of DMARC in place. A startling 71.8% do not use any DMARC protection at all. Major Providers and Compliance Mandates Push for DMARC Adoption Major email providers are making moves to force companies to catch up and use email authentication. Some highly-publicised examples include the October 2023 announcements from Google, Yahoo and Apple around mandatory email authentication requirements (including DMARC) for bulk senders sending emails to Gmail, Yahoo and iCloud accounts. This aims to significantly reduce spam and fraudulent emails hitting their customers' inboxes. In addition, organisations that store consumer payment information must comply with the Payment Card Industry Data Security Standard (PCI-DSS) or risk paying hefty fines for violations. The latest PCI DSS (v4.0.1) will require companies to use DMARC to protect credit card data by March 31, 2025. Proofpoint recommends that organisations follow these best practices: Implement DMARC: Protect your domain from impersonation by implementing DMARC and enforcing it at the reject level. Seek expert assistance if needed to avoid blocking legitimate emails. Educate employees: Train staff on how to identify and avoid potentially fraudulent or suspicious emails, such as those impersonating colleagues, suppliers, or customers. Strengthen passwords: Establish and enforce best practices for password management, including requiring strong passwords, regular changes, and never re-using passwords across multiple accounts. This analysis was conducted in December 2024 using data from companies listed on Forbes Global 2000. To learn more about DMARC, visit: Hashtag: #Proofpoint The issuer is solely responsible for the content of this announcement. About Proofpoint, Inc. Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organisations' greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organisations of all sizes, including 85 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at Connect with Proofpoint: X | LinkedIn | Facebook | YouTube Proofpoint, Inc.
