As phishing scammers actively impersonate institutions like the World Health Organization and Centers for Disease Control and Prevention in order to capitalize on Covid-19 fears, government bodies and state-run health care organizations continue to make themselves vulnerable to email spoofing by failing to employ DMARC email validation protections, a new report states.

An investigation by researchers at Proofpoint found that 44 percent of U.S. state governments and state health departments lack a published DMARC (Domain-based Message Authentication, Reporting & Conformance) record. With no DMARC protocols in place, such bodies are at increased risk of fraudsters successfully posing as them.

“State governments and health departments are in constant contact with constituents as they share updates around the progression of the virus and statewide shelter-in-place orders and other measures,” the Proofpoint report reads. “At the same time, cybercriminals are carefully following each new Covid-19 development and launching attacks that are social engineering at scale based on fear. They know people are looking for information around this out of concern for their safety and are more likely to click on potentially malicious links or download attachments.”

Moreover, Proofpoint observed that 92 percent of state governments and 88 percent of state health departments — have not adopted the highest, recommended DMARC policy. This policy, “Reject,” blocks emails that are perceived to be fraudulent so the end user never receives it and cannot be tricked into clicking a malicious link or opening a weaponized attachment.

The DMARC protocol works by authenticating an email sender’s identity using DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) standards. DMARC users also set a policy for what should happen to emails that don’t pass the validation. While “Reject” is the strongest setting, users can instead request “Quarantine,” which sends suspicious emails into a spam or junk mailbox. (“None” is the third option, which results in no action taken.)

Proofpoint says it has identified more than 300 coronavirus scams, altogether comprising 500,000 messages and 300,000 malicious URLs.

From an end-user/email recipient perspective, Proofpoint recommends that organizations introduce “robust email defenses” and train users to identify email phishing attempts and scams.