Story image

Exclusive: Over half of ASX companies at risk of email fraud

30 Aug 18

Phishing attacks are on the rise, becoming more targeted and evolving in sophistication to become harder and harder to detect.

Coupled with social engineering, businesses can be more susceptible to phishing attacks and business email compromises (BEC) than they realise.

SecurityBrief spoke to Proofpoint CEO Gary Steele about securing business emails, who’s most at risk, and what companies can do.

Why is it important for ASX100 companies to be implementing DMARC?

DMARC (or Domain Message Authentication Reporting and Conformance) is the passport control of the email security world and confirms sender identities to stop fraud.

It is widely regarded as the best-practice standard for blocking domain spoofing attacks.

Simply put, it stops cybercriminals trying to impersonate trusted brands over email.

It only takes one message for cybercriminals to inflict real damage – making it critical for companies to safeguard their email channel with customers, partners, and their own employees.

Our latest research reveals that customers targeted in email fraud attacks received on average 35 BEC messages in Q2 2018, an 87% increase year over year.

Against this backdrop, only 39% of companies listed on the ASX100 have started to implement DMARC, which leaves more than half (61%) of Australia’s largest organisations exposed to email fraud.

Financial services companies are the most targeted vertical with an email fraud attack frequency 32% higher in A/NZ than the US and UK in Q2 2018, which is reflected in the sector’s level of early adoption.

Of the ASX100 companies that have begun deploying DMARC, 25% are in the financial sector, including 4 of the top 5 commercial banks.

What are the consequences if financial services companies don’t deploy DMARC?

Email fraud has devastating consequences for businesses: a recent Proofpoint survey of senior IT decision makers in Australia revealed that more than 1 in 3 email fraud attacks on Australian businesses (35%) led to loss of funds to cybercriminals.

Other consequences included business disruption and loss of sensitive data.

Email fraud also puts employees directly at risk: nearly one in four attacks (24%) resulted in employment termination.

In real terms, financial costs are high: according to the Australian Federal Government, businesses lost more than $20 million to business email compromise/email fraud scams between 2016 and 2017, up from just $8.6 million the year before.

For a growing number of organisations, the risks associated with cybercrime are top of the agenda with 82% of boards concerned with email fraud and more than half (59%) consider it a top security risk—and no longer just an IT issue.

As the volume of attacks and level of sophistication employed by cyber criminals increase, organisations need to proactively shut down these tactics before the damage is done and DMARC offers an essential layer in ensuring that emails are verified before they reach the inbox.

What are some of the instances recently where the lack of this technology has been exploited by threat actors?

Email fraud continues to make headlines: last year, it was revealed that Facebook and Google were victims of $100million BEC payment scam where a Lithuanian national forged email addresses and invoices to impersonate a large Asian-based manufacturer with whom the tech firms regularly did business. 

In July 2018, the FBI confirmed that global email fraud is reaching unprecedented levels of impact on organisations with a new report indicating that business email compromise (BEC) and email account compromise (EAC) scams have cost organisations more than $12.5 billion in losses.

Australia has seen single-transaction BEC frauds in the millions of dollars: a recent attack was for AU$26 million, the manager for cybercrime investigations and covert online operations for the Western Australian Police Force revealed.

Is not implementing DMARC against Australian cybersecurity laws?

While there is not DMARC mandate on the books, in 2016, the Australian government issued guidance on DMARC in a report titled “Malicious Email Mitigation Strategies”, through the Australian Signals Directorate (part of the Department of Defence) and the Australian Cyber Security Centre.

The report recommends both government and private sector organisations implement DMARC authentication to prevent messages from would-be impostors reaching the inbox.

Other countries have issued varying degrees of mandates for DMARC adoption amongst public sector institutions, with the US Department of Homeland Security mandating email authentication for all civilian federal agencies.

Interestingly, our analysis of Australia’s top 100 organisations against 18 government bodies shows that adoption rates are head to head at 39%, when in most other regions, the private sector is ahead of the adoption curve.

Notably, though, the largest private companies are leading the way: 60% of the top ten ASX100 companies by market cap have adopted DMARC, showing that they are starting to understand their exposure to email fraud and to drive proactive cybersecurity measures to protect themselves.

What solutions are available in the market to help protect companies?

DMARC alone should not be thought of as the silver bullet to stop email fraud.

Australian businesses need to look to a multi-layered approach to solve the full email fraud challenge.

Start developing a defence strategy that spans people, process, and technology.

People by training your employees to recognise phishing emails; process by ensuring that you have data loss prevention and encryption in place to protect your data assets; and finally technology with the deployment of advanced email security technology that stops malicious emails before they enter your environment, email authentication, and dynamic email analysis.  

With cybercriminals targeting people, as opposed to networks, organisations need to protect their employees, customers and partners by preventing, defending, and responding to threats across an ever-changing landscape.

To do this, we encourage organisations to adopt a people-centric approach to cybersecurity by considering the individual risk each user represents and deploying a solution that gives you real-time visibility into who is targeted, what data they have access to, and whether they tend to fall prey to attacks.

Against a backdrop of pandemic cyberattacks and increased exposure, it’s time for Australian businesses to identify their most at-risk users to better protect them. 

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
The disaster recovery-as-a-service market is on the rise
As time progresses and advanced technologies are implemented, the demand for disaster recovery-as-a-service is also expected to increase.
Cohesity signs new reseller and cloud service provider in Australia
NEXION Networks has been appointed as an authorised reseller of Cohesity’s range of solutions for secondary data.
The key to financial institutions’ path to digital dominance
By 2020, about 1.7 megabytes a second of new information will be created for every human being on the planet.
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
NVIDIA sets records with their enterprise AI
The new MLPerf benchmark suite measures a wide range of deep learning workloads, aiming to serve as the industry’s first objective AI benchmark suite.
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.