While shopping online, consumers regularly hand over their personal and financial data, so retailers should protect their domains from unauthorized use. If they don’t, their domains could be used in business email compromise (BEC) attacks, phishing emails, email scams and other cyber threat activities, putting their customers at risk.
At Proofpoint, we did our own research using the domain-based message authentication, reporting and conformance (DMARC) records of the top 50 retailers in the U.S. through our own domain tool. Our results indicated that almost two-thirds (64%) of them have no DMARC protection, leaving them vulnerable to domain spoofing and having their customers’ data exposed.
The retail industry is far from alone in having poor DMARC protections, with airlines, pharmaceutical companies, HR departments and many more being subject to attacks. But as an industry that holds vast amounts of payment and personal information, it’s a major concern. Phishing, domain spoofing and BEC are among the biggest threats facing both businesses and individuals. That makes DMARC a vital barrier between cybercriminals and the data that they so covet. Retailers without protection in place must rectify the situation fast or risk joining the industry’s long line of cyber victims.
Why does DMARC protection matter?
DMARC is an email validation system that can detect and deter techniques used in phishing, BEC and other email-based attacks, including emails with forged sender addresses that appear to come from legitimate senders. DMARC is the first and only widely deployed technology that can make an email’s “from” domain trustworthy. When organizations publish a DMARC record in their domain name system (DNS), it informs receivers that the domain is legitimate. Domain owners can also publish policies that tell the recipients of emails from their domain what to do with messages that fail authentication.
A full DMARC implementation shines a light on who’s sending emails from your domains, allowing you to authorize legitimate senders and block imposters before their messages hit their targets’ inboxes. Without it, cybercriminals are free to operate in the dark.
Don’t sell out your customers.
The pandemic has spurred a drastic rise in email communication between consumers and retailers, including purchase confirmations, shipping notices, promotions and offers. Cybercriminals are well aware of this and waste no time capitalizing on the opportunity.
A common method of attack is spoofing, in which threat actors pose as legitimate retailers to trick unsuspecting victims into clicking on malicious links and handing over valuable credentials. With attacks growing ever more sophisticated, it can be almost impossible for an everyday consumer to distinguish a spoofed email from a legitimate one.
But with DMARC in place, they don’t have to. By implementing the strictest level of DMARC — “Reject” — retailers can actively block fraudulent emails from reaching their intended targets, protecting their customers from spoofed email. And spoofing is just one of many threats that set their sights on the inbox. Over 90% of malware is delivered by email, so failure to protect this point of entry is akin to leaving the store doors wide open after hours but with much farther-reaching consequences.
A successful email attack may capture the credentials or personal details of a part of your customer base. But that’s just the beginning. The attack might unlock troves of sensitive data, way beyond what any individual retailer holds. Thieves can reuse credentials across countless other sites, including banks and other financial institutions. They can also pass on customer data to more nefarious cybercriminals for wire fraud or identity theft, potentially exposing consumers to enormous financial consequences. And the targeted retailers are unlikely to fare any better.
Many high-profile retailers have lost millions of dollars because of data breaches in recent years. Some merchants may keep reputational damage or financial liability to a minimum but many others may not be so lucky.
What can you do to help?
If you want your customers to keep trusting you with their precious information, start implementing DMARC protections today. With the right support, it’s a simple, five-step process.
Step 1: Verify your domain alignment.
Step 2: Identify the email accounts you want to receive DMARC reports.
Step 3: Learn the DMARC tags.
Step 4: Generate your DMARC record.
Step 5: Implement your DMARC record into your DNS and be aware of exception lists (domains excluded from the DMARC reject policy), as a long exception list undermines the entire DMARC effort.
DMARC is a powerful tool in the fight against phishing and spoofing. It’s time for retailers to implement and enforce DMARC to reshape the email fraud landscape, protect consumers and force cybercriminals to abandon their organizations as easy targets.
Courtesy- https://www.cfo.com/risk-compliance/2022/01/strategic-risk-assessment-perry-wiggins-apqc/
