Almost every company in the Fortune 500 is prone to phishing attacks because they don't use a basic security feature that prevents email spoofing. Take these simple steps to help protect yourself against hackers and government surveillance. More than nine out of 10 listed companies are not using a domain-based message authentication, reporting, and conformance policy (known widely as DMARC) on their corporate domains, an email validation system used to verify the identity of an email sender, which protects against spoofed emails and phishing attacks. That's according to a report by cybersecurity firm Agari, which said only 39 companies in the list of 500 firms have a policy that marks unauthenticated messages as spam or rejects them entirely. Agari didn't name the companies that fared the worst in the report, but told ZDNet that several telecom and tech-oriented companies dominated the list of companies who applied the strongest levels of DMARC email security.
Over half of the world's most popular online services have misconfigured servers which could place users at risk from spoof emails, researchers have warned. According to Swedish cybersecurity firm Detectify, poor authentication processes and configuration settings in servers belonging to hundreds of major online domains are could put users at risk of legitimate-looking phishing campaigns and fraudulent emails. Emails have become a major communication channel, and with so many users now owning at least one email address, they are often the first port of call for cyberattackers looking to compromise your system, steal your data or access your online accounts. Research firm Radicati says (.PDF) over 205 billion emails were sent every day in 2015, and this figure is expected to reach 246 billion emails by the end of 2019. If spoof emails -- an email sent with a fake sender address -- are sent by a cyberattacker running phishing campaigns, victims could be duped into clicking on malicious links and downloading malware.
Last year, the UK blocked 80 million spoofed emails from entering government domains, thanks to wide deployment of the DMARC email authentication protocol. "That's how you stop people clicking on the link, because they never get the crap in the first place. Simple things done at scale can have a difference," said Dr Ian Levy, technical director of the UK's National Cyber Security Centre (NCSC) in October. At that time, 879 of the 3025 gov.uk domains, or around 29 percent, were protected by DMARC, he said. According to Stephen Gillies, who runs security advisory at Caret and Stick, DMARC's goal is "to bring some trust back to the From: field in email headers".
Don't be surprised if you see spam coming from the top websites in the world. Lax security standards are allowing anyone to "spoof" emails from some of the most-visited domains, according to new research. Email spoofing -- a common tactic of spammers -- basically involves forging the sender's address. Messages can appear as if they came from Google, a bank, or a best friend, even though the email never came from the actual source. The spammer simply altered the email's "from" address.