DMARC ADOPTION AMONG

Transcription

1 DMARC ADOPTION AMONG US and UK Nonprofit Organizations Q Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok

2 TABLE OF CONTENTS Introduction Research Overview US and UK Nonprofit Organizations Takeaways About

3 INTRODUCTION The scope of this study was focused on the adoption of Domain-based Message Authentication, Reporting & Conformance (DMARC), an authentication, policy, and reporting protocol that helps businesses prevent spoofing of their domains By deploying and monitoring DMARC, institutions lower the likelihood their domains are spoofed and used for phishing attacks on donors, members, volunteers, and employees, among other recipients. A 2017 study from the Anti-Phishing Working Group reported an average of 443 brands per month were targeted for phishing attacks in the first half of 2017, up from 413 per month during the same period in the previous year. These attacks are a threat to brand trust, as 91% of all cyber attacks begin with a phishing . Although most of today s consumers are aware of phishing attacks, two in five US consumers fell victim to an online phishing attack, according to a 2017 Cyber Monday phishing survey by DomainTools. What can nonprofits do protect their brand trust with stakeholders? Deploying a DMARC policy is the first step to protecting donors, members, volunteers, employees, and their trusted brand from phishing attacks. By identifying and suppressing malicious mail impersonating their organization, some senders report a correlating double-digit boost in inbox placement rate, open rates, and clickthrough rates. 3

4 RESEARCH OVERVIEW On May 30, 2018, 250ok conducted an analysis of 6,387 top-level domains controlled by US- and UK-based NPOs with at least 25 employees. The analysis revealed a staggering majority of US nonprofits (94.2%) have no DMARC policy in place, while the UK performs only slightly better (92.7%). Out of the domains with any DMARC policy at all, just 0.8% of UK-based and 0.3% of US-based NPOs use the gold standard p=reject. This is a shocking lack of DMARC adoption industrywide, indicating a troublesome environment ripe for phishing and spoofing attacks that could be catastrophic for NPOs. It is worth noting a meaningful number of institutions likely use a subdomain for some of their messaging (e.g., nonprofit.org is a root domain; mail.nonprofit. org is a subdomain). However, leaving the root domain unauthenticated is an open invitation for spoofing, phishing, and mail forgery. A published record at the root domain will protect the entirety of the domain, including any potential subdomains, as they automatically inherit the DMARC policy of the root domain; however, subdomains can have their own DMARC policy. 4

5 GLOBAL NONPROFITS DMARC Adoption Among US Nonprofits 0.3% 0.8% 4.7% FIGURE 1 DMARC Adoption Among US Nonprofit Organizations Legend n=5506 domains 94.2% Domains w/ No DMARC None policy - good Quarantine policy - better Reject policy - best 94.2% of top-level domains studied lack the most basic DMARC policy, which leaves donors, volunteers, staff, and more at risk of phishing attacks. 5.8% of all domains reviewed had a DMARC policy in place. Only 0.3% of the domains reviewed were at a reject policy, the DMARC gold standard. 5

6 GLOBAL NONPROFITS DMARC Adoption Among UK Nonprofits FIGURE 2 DMARC Adoption Among UK Nonprofit Organizations 0.8% 0.7% 5.8% 92.7% Legend n=881 domains Domains w/ No DMARC None policy - good Quarantine policy - better Reject policy - best 92.7% of top-level domains studied lack the most basic DMARC policy, which leaves donors, volunteers, staff, and more at risk of phishing attacks. 7.3% of all domains reviewed had a DMARC policy in place. Only 0.8% of the domains reviewed were at a reject policy, the DMARC gold standard. 6

7 TAKEAWAYS NPOs are data-rich targets usually holding onto financial information belonging to their donors, members, and volunteers. The current state of NPO authentication shows most organizations are not following recommended best practices for protecting supporters and employees from spoofing, phishing, and other known fraud tactics. This is particularly perilous for organizations who rely heavily on grassroots activism or volunteer leadership, as these groups typically have less expertise in data security or even simply recognizing signs of fraud. For example, crisis-related efforts with donation campaigns are vulnerable to lookalike phishing s, where malicious senders co-opt trusted NPOs domains to trick donors into funneling donations away from the cause and into scammers personal bank accounts. This well-documented practice leads organizations like the Red Cross to issue warnings 1 about fraud in the wake of catastrophic natural disasters, like Hurricane Sandy. 1 Source: 7

8 ABOUT Matthew Vernhout (CIPP/C) Director of Privacy, 250ok Matthew Vernhout is the Director of Privacy at 250ok and is a Certified International Privacy Professional (Canada) with nearly two decades of experience in marketing. He actively shares his expertise on industry trends, serving as director at large of the Coalition Against Unsolicited Commercial (CAUCE), chair of the Experience Council s (EEC) Advocacy Subcommittee, and senior administrator of the Marketing Gurus group. He is a trusted industry thought-leader, speaking frequently at marketing and technology conferences around the globe, and maintaining his celebrated blog, Karma.net. Matthew has contributed to several benchmark publications during his career including DMARC Adoptions Among e-retailers, The EEC s Global Marketing Compliance Guide, The Impact of CASL on Marketing, and more. 250ok focuses on advanced analytics, insight and deliverability technology to power a large and growing number of enterprise programs ranging from clients like Adobe, Marketo, and Furniture Row who depend on 250ok to cut through big data noise and provide actionable, real-time analytics to maximize performance. For more information, visit 250ok.com. 8