Study: One In Five Emails Sent Today Are From Unauthorized Senders, Highlighting Rampant Email Impersonation

 ValiMail, the world’s only provider of automated email authentication, today released research that reveals the overwhelming majority of company domains are vulnerable to rampant email impersonation attacks. ValiMail’s 2017 Email Fraud Landscape Report shows that most domain owners have not attempted to implement fraud protection through the latest and most complete form of protection, DMARC (“Domain-based Message Authentication, Reporting & Conformance”), a widely used standard that ensures only authorized senders can use an organization’s domain name in their emails.

“Email has been weaponized by hackers as the leading way to infiltrate networks, and the vast majority of businesses are leaving themselves vulnerable by either incorrectly configuring their authentication systems or forgoing protection entirely,” said Alexander García-Tobar, CEO and co-founder of ValiMail. “Businesses are asking their employees to complete an impossible task: identifying who is real and who is an impersonator, by closely examining every message in their inboxes. The only sustainable solution is for companies to take control of their email security at the technology level and stop placing the onus on employees to prevent phishing attacks.”

Key findings from the report, which analyzed the most popular one million global domains, include:

  • Email fraud is a pervasive threat. One in five messages sent today come from unauthorized senders, indicating massive amounts of fraudulent activity.
  • Virtually all domains lack adequate protection. Just 0.5 percent of the top million domains have protected themselves from impersonation by email authentication, leaving 99.5 percent vulnerable.
  • Incorrect DMARC deployments prevent email protection. Over three-fourths (77 percent) of domains that have deployed DMARC records remain unprotected from fraud, either through misconfiguration or by setting a permissive DMARC policy.
  • The difficulty of fully implementing and maintaining DMARC leads to inadequate protection. Only 15 to 25 percent of companies that attempt DMARC succeed at achieving protection from fraud, depending on category.
  • DMARC is accessible to most domains. Over three-fourths (76 percent) of the world’s email inboxes support DMARC and will enforce domain owners’ authentication policies, if those policies exist.
  • Implementing email authentication would save the average company $8.1 million per year in cybercrime costs — $16.2 billion annually across the Fortune 2000.

“ValiMail’s research demonstrates the volume of email fraud threats faced by companies today and highlights the alarming lack of understanding of how to combat these threats,” said Shehzad Mirza, the Director of Operations for the Global Cyber Alliance. “These findings highlight that a lack of email authentication is the most prevalent security vulnerability companies face. In order to truly protect our inboxes, we must drive greater adoption of cybersecurity technologies and protocols such as DMARC.”

DMARC’s influence and adoption rates are steadily growing. In October 2017, the Department of Homeland Security announced it would begin requiring federal agencies to implement DMARC within 90 days. Currently only 38 percent of the top government agencies have DMARC records and only 14 percent have reject/quarantine enforcement in advance of the of January 14, 2018 deadline.

To view the full study, which contains a breakdown of findings as they pertain to the Fortune 500, U.S. banks, “unicorn” startups, and cybersecurity companies, among other categories, go to http://go.valimail.com/email-fraud-landscape-2017.html.

Prasad Dusane