JRB - Fotolia

Most online retail sites put customers at risk of phishing

Most top online retail sites fail to protect consumers from phishing attacks, a study has revealed

Nearly 90% of the root domains operated by top online retailers in the European Union and the United States are putting their brands and consumers at risk of phishing attacks.

This is the main finding of a study based on analysis of 3,300 domains operated by the top 500 EU and 1,000 US online retailers by email analytics and DMARC compliance firm 250ok.

Phishing and spoofing attacks against consumers are most likely when companies do not have a published sender policy framework (SPF) or domain-based message authentication, reporting and conformance (Dmarc) policy in place.

SPF is an email validation system that detects spoofing attempts, or a third party that disguises itself as a particular sender using a counterfeit email address. Dmarc is an industry standard for email-validation to prevent such attacks, and is being used to protect US and UK government domains.

The Dmarc protocol builds on the widely deployed sender policy framework (SPF) and domain keys identified mail (DKIM) protocols to authenticate email senders and identify fraudulent emails, adding a reporting function that allows senders and receivers to improve and monitor protection of the domain from fraudulent email.

Dmarc enables organisations to take control of their domains by specifying which IP addresses emails will come from and what cryptographic keys it will be signed by. If either of these conditions is not met, organisations can choose to have the non-conforming emails to be delivered with an alert to the organisation, quarantined with an alert, or blocked with an alert.

Whatever option the organisation chooses, all emails that are pretending to be from that organisation for phishing or other cyber criminal purposes will be not reach their intended victims.

Read more about the Dmarc protocol

  • NCSC rolls out four measures to boost public sector cyber security.
  • HMRC geared up to block 500 million phishing emails a year.
  • How can a Dmarc policy improve email security?
  • Slow adoption of DMARC policy can leave email vulnerable.

While the majority of retailers use some level of email authentication on their domains, the report reveals many are inconsistent in their approach across all the domains they control. Only 11.3% of top US retailer and 12.2% of top EU retailer domains meet 250ok’s recommended minimum protocol for the email channel:

  • Publish SPF records for all domains
  • Ensure SPF records are valid and without errors
  • Publish a Dmarc policy for all domains

“By failing to publish basic authentication records like SPF and a Dmarc record for all of the domains they operate, retailers are blind to the potential abuse of their brands’ domain names,” said Matthew Vernhout, director of privacy at 250ok. “It leaves both the brand and the consumer unnecessarily exposed to phishing attacks that damage brand trust.”

A 2017 study from the Anti-Phishing Working Group reported that an average of 443 brands per month were targeted for phishing attacks in the first half of 2017, up from 413 per month during the same period in the previous year.

According to the 250ok report, these attacks are a threat to brand trust because 91% of all cyber attacks begin with a phishing email.

“Time and again, we see that phishing is among the most common cyber risks,” said Shehzad Mirza, director of operations for the Global Cyber Alliance.

“Dmarc protects both consumers and businesses from some of the worst types of phishing. The value of the protection is such that both the UK and US governments have mandated their respective government domains to implement Dmarc. We urge all governments and businesses to do the same,” he said.

Supporting customer protection

In an effort to support the protection of consumers and the email programs of businesses around the world, 250ok is offering free usage of its Dmarc software in 2018 for all new customers that sign up before the end of February 2018.

“This is a moment in time where we have the opportunity to make a real impact on the security of consumers and brands,” said Greg Kraios, 250ok CEO. “By offering free access to our Dmarc software, we hope to play a meaningful role in reducing phishing attacks in 2018 and beyond. Ultimately, we expect marketers to see improvements in email engagement due to stronger consumer trust in their brands.”

Read more on Hackers and cybercrime prevention