SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Not enough being done to combat email fraud in ANZ - report
Mon, 13th Jul 2020
FYI, this story is more than a year old

Email scams and fraud continute to run rampant throughout Australia and New Zealand (ANZ), thanks largely to either minimal uptake or incorrect implementation of domain-based message authentication reporting and conformance (DMARC).

That's according to new research from email security provider SMX, which has found that not only are private organisations throughout the Trans-Tasman nations at risk from increasing vulnerability, but so too are government agencies and departments.

The Australian Competition and Consumer Commission (ACCC) recently found that AU$60 million was lost to email scams and fraud in 2019 alone, with this number increasing. In addition, the Australian Threat Report of CIO's also reported that phishing was the ‘top cause' of data breaches in the country last year.

“We recently surveyed organisations utilising DMARC across the region,” says SMX co-founder and email evangelist Thom Hooker.

“Of 187 Australian Federal Agencies surveyed, 103 have some form of DMARC record although only 17% have a record in enforcement mode (with most set to reject and there aren't misconfigured records),  37% have DMARC but are effectively taking no action (including no reporting), while 44% have no record at all.

Meanwhile, in New Zealand NZ$14.5 million was lost in 2019 thanks to scams and fraud – a massive 87% of that number caused by email fraud, according to CERT NZ. Phishing increased by 25% year-on-year, while 70% of all ransomware attacks reported to CERT resulted in some form of loss for the victim.

“In New Zealand, we looked at the DNS records of all 372 NZ government agencies,” says Hooker.

“While we found 20% of agencies have some form of DMARC record, we saw large numbers of misconfigured or invalid records amongst them.

“Of the 74 agencies with some form of DMARC only 16% are configured to reject email, with another 6% configured to quarantine emails that breach their policy.

This problem is compounded by the gains made by cyber attackers recently, with phishing and other fraud campaigns becoming markedly more sophisticated especially in midst of the COVID-19 pandemic.

Many email spoofers have mastered the art of marrying clever facsimiles of genuine emails with domain spoofing so that the email appears to originate from the business or individual it claims to represent.

This new subtlety can now fool many security-literate users, says SMX, and can potentially lure victims to click on malicious attachments, respond to requests made in bogus emails, or hand over precious credentials.

Having DMARC policies in place can reduce organisations' vulnerability in this regard, according to SMX, but even with such protections, there is always risk. And across ANZ, government agencies have fared worse than large companies in mitigating this risk, says Hooker.

“Australian Federal agencies are only slightly ahead of New Zealand,” he says.

“Of 187 agencies 103 have some form of DMARC record although only 32 (17%) have a record in enforcement mode (with most set to reject and there aren't misconfigured records).

“71 (37%) have DMARC but are effectively taking no action (including no reporting) while 84 (44%) have no record at all.

Hooker says this poor DMARC uptake continues to put businesses and individuals at risk of financial or data loss while government agencies run the risk of exposing personal data due to a privacy breach originating from an email scam.

“Given how much personal data is stored digitally with government agencies, each agency has a duty to take all appropriate measures to protect that data,” says Hooker.

“Our research shows that while a small number of government agencies clearly understand the risks and have implemented DMARC, many either do not or have been slow in adopting DMARC.

DMARC should be a de facto part of any organisation's security approach, he says – and email-based cyber threats will continue to rise if something isn't put in place to combat them.

“Email has been around for 40 years and despite various attempts to replace it, it's unlikely to go away any time soon,” he says.

“It has become a more sophisticated tool as it's evolved to meet changing demands and DMARC is one of the most significant evolutions in that history.

“It's time more organisations made use of it to protect themselves and their customers.