A decade later, domain-based authentication is becoming more critical in financial companies

A decade after online giants such as PayPal launched DMARC, more and more financial players are adopting the email validation system to limit the compromise of business emails. Pictured: A sign is displayed outside PayPal’s headquarters on February 2, 2022, in San Jose, California. (Photo by Justin Sullivan/Getty Images)

To combat email compromises and growing crackdowns, more and more financial players are looking to potentially adopt a long-existing email validation system on a more widespread basis to potentially curb cybercrime.

Originally launched in 2012 by Paypal, Google, Microsoft and Yahoo, this so-called Domain-Based Message Authentication and Compliance (commonly referred to as DMARC) report was designed explicitly to mitigate financial losses – especially those has another decade too -usually started with scam emails. And, these days, with the frequency and cost of Business Email Compromise (BEC) ever increasing, and financial regulators cracking down on institutions they believe are not doing enough to To stem the tide, banks, credit unions, and investment firms are watching DMARC a little more carefully, even if they haven’t before.

According to Seth Blank, Chief Technology Officer at DMARC provider Valimail, 89% of cyberattacks start with an email which impersonates the sender.

“DMARC is a crucial defense here,” Blank argued. “DMARC is binary: either you’re in the app or you’re not. And if you’re not running [level]you expose yourself to cyberattacks.

DMARC’s roots are in the world of online payments and finance. Indeed, DMARC was born out of a need to not only reduce the incidence of corporate email compromise and other phishing scams, but specifically to reduce payments and financial fraud.

In the early 2000s, when online commerce was booming, P2P payments giant PayPal was already incurring $2,300 in fraudulent losses every hour, Blank said. In 2010, scammers were stealing tens of millions of dollars from PayPal customers every month by “spoofing the company’s email domain to send phishing messages”, he added.

“The scammers took advantage of consumers’ trust in the [payments website] to trick customers into sharing their account details or outright sending money to the wrong recipients,” Blank said. “And PayPal knew that these actions were significantly damaging its reputation. Hence the birth of DMARC.

Flash A Decade Ahead: Despite Massive Efforts, Particularly by the Financial Industry, to Address This Issue, the FBI Uncovered BEC Scams cost organizations nearly $2.4 billion last year alone. In 2021, the bureau also said there were nearly 324,000 reports of phishing scams.

More recently, US Securities and Exchange Commission (SEC) legislation outlines the responsibility of financial institutions to protect their customer information, particularly as a result of BEC. In 2021, The SEC has sanctioned eight companies for breaches of their cybersecurity policies and proceedings that resulted in takeovers of email accounts exposing the personal information of thousands of people. For example, unauthorized parties have taken more than 60 Cetera employee accounts, and none of those accounts “were protected by the standards outlined in Cetera’s cybersecurity policies,” Blank added.

Similarly, cybercriminals compromised the email accounts of 15 KMS employees and 4,900 KMS customers between September 2018 and December 2019, Blank pointed out. Following these attacks, it took KMS until May 2020 to develop a written cybersecurity policy or procedure. Further investigation by the SEC revealed that the company did not implement this written policy until August 2020.

“These phishing incidents and BECs both have one characteristic in common: the focus on employees, the point at which the company’s cybersecurity becomes most exposed,” Blank explained. “However, a ‘say-do’ gap still exists in core security protocols such as DMARC, zero trust, encryption, and multi-factor authentication.”

Case in point: While more than three-quarters (77%) of Fortune 500 email domains have a DMARC policy, only 27% of those policyholders fully enforce its use, leaving others vulnerable, according to Valimail Email Fraud Report from 2021.

“Companies need to do better to implement their own procedures,” Blank added. “DMARC alone stops cybercriminals from phishing using your domains. There are no shortcuts to basic security efforts – businesses in all industries need to improve their protections.