To combat ever-increasing email compromises and compliance crackdowns, more financial players are looking to potentially embrace a long-existent email validation system on a more widespread basis to potentially curb cybercrime.
Originally launched in 2012 by Paypal, Google, Microsoft and Yahoo, this so-called Domain-based Message Authentication Reporting and Conformance (commonly referred to as DMARC) was designed explicitly to mitigate financial losses — especially those that even a decade ago all-too-commonly started with fraudulent email. And, nowadays with the frequency and cost of business email compromise (BEC) still amplifying, and financial regulators cracking down on institutions they believe are not doing enough to stem the tide, banks, credit unions and investment firms are looking a little more keenly at DMARC, even if they have not previously.
According to Seth Blank, chief technology officer at DMARC vendor Valimail, 89% of cyberattacks start with an email that impersonates the identity of the sender.
“DMARC is a crucial defense here,” Blank contended. “DMARC is binary — you’re either at enforcement or you aren’t. And if you’re not at enforcement [level], you leave yourself open to cyberattack.”
DMARC’s roots are in the payments and financial world online. Indeed, DMARC was born of a need to decrease not only the incidence of business email compromise and other phishing-related scams, but specifically to reduce payments and financial fraud.
In the early 2000s, as online commerce was really taking off, P2P payments giant PayPal was already incurring $2,300 in fraudulent losses every hour, said Blank. By 2010, scammers were stealing tens of millions of dollars from PayPal’s customers each month by “spoofing the company’s email domain to send phishing messages,” he added.
“Scammers were leveraging the trust consumers had in the [payments website] to trick customers into sharing account details or outright sending cash to the wrong recipients,” Blank said. “And PayPal knew these actions were damaging its reputation significantly.” Hence the birth of DMARC.
Flash forward a decade: Despite massive efforts especially on the part of the financial industry to work this problem, the FBI found BEC scams cost organizations nearly $2.4 billion just last year. In 2021, the bureau also said there were almost 324,000 reports of phishing-related scams.
More recently, legislation from the U.S. Securities and Exchange Commission (SEC) highlights financial institutions' responsibility to protect their customers’ information, especially in the wake of BEC. In 2021, SEC sanctioned eight firms for failures in their cybersecurity policies and procedures that resulted in email account takeovers exposing the personal information of thousands of individuals. For example, unauthorized parties took over 60 Cetera employee accounts, and none of these accounts “were protected by the standards described in Cetera’s cybersecurity policies,” Blank added.
Similarly, cybercriminals compromised the email accounts of 15 KMS employees and 4,900 KMS customers Between September 2018 and December 2019, Blank pointed out. Following these attacks, it took KMS until May 2020 to develop a written cybersecurity policy or procedure. Further SEC investigation found that the company failed to implement this written policy until August 2020.
“These phishing incidents and BECs both have one characteristic in common: a focus on employees, the point at which corporate cybersecurity becomes most exposed,” Blank argued. “However, a ‘say-do’ gap still exists within basic security protocols such as DMARC, zero trust, encryption and multi-factor authentication.”
Case in point: while more than three-fourths (77%) of Fortune 500 e-mail domains have a DMARC policy, only 27% of those policyholders are completely enforcing its use, leaving the rest vulnerable, according to Valimail's Email Fraud Landscape Report from 2021.
“Firms must do better at implementing their own procedures,” Blank added. “DMARC alone blocks cybercriminals from phishing using your domains. There is no shortcut for basic security efforts — companies across industries need to improve their safeguards.”