Three billion spoofed emails are being sent every day

(Image credit: Image Credit: Geralt / Pixabay)

Billions of fake emails are being sent each day despite large-scale efforts to prevent the spread of cybercrime, new research has found.

Despite the increasing enforcement of Domain-based Message Authentication, Reporting and Conformance (DMARC), a report from Valimail found there are still three billion email messages sent every day which spoof the sender identity used in the “From” field.

Furthermore, despite more than 1.28 million domain owners worldwide having configured DMARC for their domains, less than one in five (14 percent) are protected by an enforcement policy.

The report is based on consolidated data from millions of DMARC reports, collected on behalf of Valimail’s customers during 2020. DMARC is a vendor-neutral authentication protocol that allows email domain owners to protect their domain from unauthorized use, or “spoofing.” Valimail’s report further claims that domains without DMARC enforcement are almost five times more likely to be targeted by spoofing, compared to those that do enforce the practice.

Malware distribution

Large organizations, despite being relatively slow when it comes to adopting a DMARC policy (43.4%), among their domains, are making headway. There are 2% more policies adopted now, compared to early 2020, and 3.5% more compared to early 2019.

While global media companies and US healthcare organizations have the lowest rates of DMARC deployment and protection, the US government has the highest rates with 74%, the report concluded.

Even though it’s one of the oldest forms of online communication, email is still the go-to platform for criminals looking to distribute malware. More than 90% of all cyberattacks start with a sent email, the report claims, saying 80% of all email inbox providers do DMARC checks on inbound emails.

Over the course of the past 12 months, Covid-19 has become one of the most popular themes for cybercrime email activity, as people started working remotely. Email security providers (ESP) are saying, Valimail has confirmed, that pandemic-themed phishing attacks “surged” last year, as criminals sought to take advantage of remote workers.

Google, which blocks approximately 100 million phishing emails every day, says an average phishing campaign doesn’t last longer than 12 minutes.

“Privacy laws already exist in Europe and parts of the United States, and if a company does any business in those areas, a DMARC policy at enforcement is essential,” said Alexander García-Tobar, CEO and co-founder, Valimail.

“DMARC is not going away and the best thing a company can do is understand the potential exposure without it. By having valid email authentication in place, companies protect themselves and their customers from privacy violations. Without it, emails are sent without permission, fines are issues, confidential information is obtained and reputations sink. This wave is only a starting point. Companies must step up as the risk of going without enforcement will only get worse.”

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.