​Australia’s gate ‘wide open’ for email spoof attacks

Almost all of Australia’s leading businesses and government agencies have their email fraud defences wide open, according to new research.

Cyber security practice InfoTrust surveyed 7,393 Australian companies, finding that only 40 (0.5 per cent of the total number) have an effective DMARC (domain-based message authentication, reporting, and conformance) record.

“This means that cybercriminals can easily impersonate the sending email domains of 99.5 per cent of Australia’s leading brands and government agencies. This is despite last year’s Australian Signals Directorate (ASD) recommendation that organisations have their DMARC record set at P=Reject,” said InfoTrust CEO, Dane Meah.

DMARC is an email authentication, policy, and reporting protocol. Along with SPF and DKIM, the DMARC governance framework has been available for many years to prevent email fraud by allowing legitimate brands to tell ISPs and email applications whether or not a sender URL is legitimate.

Meah claimed that Australia’s largest companies, which are expected to be on the ball, “are no better protected than the rest".

“We analysed the ASX 50 and found that only one, Qantas, has its DMARC record set at P=Reject. We know that the Australian government takes email fraud very seriously. The ASD and other agencies are working to address the issue with the ASD recommended DMARC framework," Meah said.

“Compared with the international experience, Australia is not looking very secure from email fraud. The lack of local compliance here in Australia is very disturbing,” he added.

“All Australian organisations that have not heeded to the ASD’s recommendation are exposing themselves – and their customers and partners – to unacceptable risk.”

The research asserts that some very well-known brands across multiple sectors – the likes of AMP, ANZ, ASX Limited, BHP, Commonwealth Bank, Fortescue Metals Telstra, Westpac, Woolworths, and a host of others – are not DMARC compliant.

Unlike traditional email-borne virus attacks, which can be effectively prevented with traditional inbound security controls, email fraud attacks rely on ‘sleight of hand’ and human frailty. Cyber criminals impersonate a recognisable brand or person and then trick users into either giving over their credit card and password details, or clicking on a link and allowing malware into their systems and corporate networks, said Meah.

He said Australia is the number one phished country in the Asia-Pacific region on a per capital basis, and ranks second behind the US in global terms, and companies are relying on traditional email security gateways to block inbound threats.

“But any business with a recognisable brand should be proactive to prevent misuse of their brand of domains.”

He said it’s only a matter of time before another major email fraud borne cyber security incident has a dramatic impact on the Australian economy.