Fully 61 percent of ASX100 exposed as email fraud gets personal

Your top executives aren’t necessarily the ones being attacked the most

Surging business email compromise (BEC) losses are pushing businesses and government agencies towards “aggressive” adoption of DMARC anti-fraud technology, a security expert has observed while noting that new figures suggest 61 percent of Australia’s largest organisations are leaving themselves wide open to email fraud.

Just 39 of the ASX 100 have so far established DMARC records to indicate their use of the anti-spoofing technology, according to a recent analysis by security vendor Proofpoint.

That was up significantly compared with a late-2016 analysis that found just 6 percent of US businesses were using DMARC, while another ASX100 audit last year found that just 27 percent of Australia’s biggest companies had adopted the technology.

Some 25 percent of those companies are in the financial sector – hardly surprising given the particular exposure of finance-related companies to cybercriminals seeking to take the money and run.

“We have seen much more aggressive adoption of DMARC over the course of the last 12 months simply because of the growth of email fraud,” Proofpoint CEO Gary Steele told CSO Australia.

“These campaigns are reasonably easy to run for bad actors, and they are seeing pretty serious paydays as illustrated by the numbers.”

A recent Mimecast analysis found that BEC volumes were up 80 percent quarter-on-quarter, with the US FBI recently arresting 74 BEC perpetrators while announcing that global BEC losses had passed $US12 billion ($A16.5b)

DMARC includes a number of steps to full maturity, including implementation of the Sender Policy Framework (SPF) or the related DomainKeys Identified Mail (DKIM) standards.

Yet the standards are just the beginning, with companies stepping through several phases before they can be deemed fully DMARC compliant.

Just 7 of the 39 companies have reached full maturity by proactively blocking and quarantining fraudulent emails, according to the latest Proofpoint figures. The remainder are in ‘monitor’ mode, where they are testing the effectiveness of DMARC blocking before actively intercepting questionable emails.

An individual perspective on fraud

Yet even with DMARC in place, organisations need to be keeping a close eye on individual differences that may see some employees individually targeted more than others.

Assessments of BEC attacks were often showing that, contrary to frequent portrayals, it’s often not the top executives who are being attacked. Rather, cybercriminals are targeting specific job roles or individuals in highly targeted attacks designed to maximise the chance of deception.

“We’re trying to help organisations understand the risk of vulnerabilities associated with specific people,” Steele explained.

“That’s what’s being targeted, and not just the organisation – so organisations need to think broadly about their security strategies as they relate to those specific individuals.”

Organisations should not only identify their most vulnerable individuals, he said, but must also remember that those individuals may be specifically targeted in other ways through real-world methods.

Proofpoint’s recent Email Fraud Threat Report: Year in Review found that BEC scammers targeted an average of 13 different people per organisation, many from organisations such as HR and accounts payable.

Some 47 percent of organisations had more than 5 identities spoofed during the quarter, reflecting greater use of social-media and Web-based information. The number of individual entities spoofed per organisation more than doubled in the last quarter of 2017, to around 10 individuals.

“Stagnant” government agencies weren’t faring much better, with an August review finding that just 7 out of 18 examined departments (38 percent) had published a DMARC record – and that only one agency had moved to the ‘rejection’ phase of DMARC adoption since the previous audit 10 months earlier.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags DMARCEmail fraudBEC

More about AustraliaCSOFBIMimecastProofpoint

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by David Braue

Latest Videos

More videos

Blog Posts