SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image

Exclusive: Over half of ASX companies at risk of email fraud

Thu, 30th Aug 2018
FYI, this story is more than a year old

Phishing attacks are on the rise, becoming more targeted and evolving in sophistication to become harder and harder to detect.

Coupled with social engineering, businesses can be more susceptible to phishing attacks and business email compromises (BEC) than they realise.

SecurityBrief spoke to Proofpoint CEO Gary Steele about securing business emails, who's most at risk, and what companies can do.

Why is it important for ASX100 companies to be implementing DMARC?

DMARC (or Domain Message Authentication Reporting and Conformance) is the passport control of the email security world and confirms sender identities to stop fraud.

It is widely regarded as the best-practice standard for blocking domain spoofing attacks.

Simply put, it stops cybercriminals trying to impersonate trusted brands over email.

It only takes one message for cybercriminals to inflict real damage – making it critical for companies to safeguard their email channel with customers, partners, and their own employees.

Our latest research reveals that customers targeted in email fraud attacks received on average 35 BEC messages in Q2 2018, an 87% increase year over year.

Against this backdrop, only 39% of companies listed on the ASX100 have started to implement DMARC, which leaves more than half (61%) of Australia's largest organisations exposed to email fraud.

Financial services companies are the most targeted vertical with an email fraud attack frequency 32% higher in ANZ than the US and UK in Q2 2018, which is reflected in the sector's level of early adoption.

Of the ASX100 companies that have begun deploying DMARC, 25% are in the financial sector, including 4 of the top 5 commercial banks.

What are the consequences if financial services companies don't deploy DMARC?

Email fraud has devastating consequences for businesses: a recent Proofpoint survey of senior IT decision makers in Australia revealed that more than 1 in 3 email fraud attacks on Australian businesses (35%) led to loss of funds to cybercriminals.

Other consequences included business disruption and loss of sensitive data.

Email fraud also puts employees directly at risk: nearly one in four attacks (24%) resulted in employment termination.

In real terms, financial costs are high: according to the Australian Federal Government, businesses lost more than $20 million to business email compromise/email fraud scams between 2016 and 2017, up from just $8.6 million the year before.

For a growing number of organisations, the risks associated with cybercrime are top of the agenda with 82% of boards concerned with email fraud and more than half (59%) consider it a top security risk—and no longer just an IT issue.

As the volume of attacks and level of sophistication employed by cyber criminals increase, organisations need to proactively shut down these tactics before the damage is done and DMARC offers an essential layer in ensuring that emails are verified before they reach the inbox.

What are some of the instances recently where the lack of this technology has been exploited by threat actors?

Email fraud continues to make headlines: last year, it was revealed that Facebook and Google were victims of $100million BEC payment scam where a Lithuanian national forged email addresses and invoices to impersonate a large Asian-based manufacturer with whom the tech firms regularly did business.

In July 2018, the FBI confirmed that global email fraud is reaching unprecedented levels of impact on organisations with a new report indicating that business email compromise (BEC) and email account compromise (EAC) scams have cost organisations more than $12.5 billion in losses.

Australia has seen single-transaction BEC frauds in the millions of dollars: a recent attack was for AU$26 million, the manager for cybercrime investigations and covert online operations for the Western Australian Police Force revealed.

Is not implementing DMARC against Australian cybersecurity laws?

While there is not DMARC mandate on the books, in 2016, the Australian government issued guidance on DMARC in a report titled “Malicious Email Mitigation Strategies”, through the Australian Signals Directorate (part of the Department of Defence) and the Australian Cyber Security Centre.

The report recommends both government and private sector organisations implement DMARC authentication to prevent messages from would-be impostors reaching the inbox.

Other countries have issued varying degrees of mandates for DMARC adoption amongst public sector institutions, with the US Department of Homeland Security mandating email authentication for all civilian federal agencies.

Interestingly, our analysis of Australia's top 100 organisations against 18 government bodies shows that adoption rates are head to head at 39%, when in most other regions, the private sector is ahead of the adoption curve.

Notably, though, the largest private companies are leading the way: 60% of the top ten ASX100 companies by market cap have adopted DMARC, showing that they are starting to understand their exposure to email fraud and to drive proactive cybersecurity measures to protect themselves.

What solutions are available in the market to help protect companies?

DMARC alone should not be thought of as the silver bullet to stop email fraud.

Australian businesses need to look to a multi-layered approach to solve the full email fraud challenge.

Start developing a defence strategy that spans people, process, and technology.

People by training your employees to recognise phishing emails; process by ensuring that you have data loss prevention and encryption in place to protect your data assets; and finally technology with the deployment of advanced email security technology that stops malicious emails before they enter your environment, email authentication, and dynamic email analysis.

With cybercriminals targeting people, as opposed to networks, organisations need to protect their employees, customers and partners by preventing, defending, and responding to threats across an ever-changing landscape.

To do this, we encourage organisations to adopt a people-centric approach to cybersecurity by considering the individual risk each user represents and deploying a solution that gives you real-time visibility into who is targeted, what data they have access to, and whether they tend to fall prey to attacks.

Against a backdrop of pandemic cyberattacks and increased exposure, it's time for Australian businesses to identify their most at-risk users to better protect them.

Follow us on: