If you are a transparency phisher, Shaun Waterman has encouraging news for you in: Most large companies don’t use standard email security to combat spoofing.
From the post:
Only a third of Fortune 500 companies deploy DMARC, a widely-backed best-practice security measure to defeat spoofing — forged emails sent by hackers — and fewer than one-in-10 switch it on, according to a new survey.
The survey, carried out by email security company Agari via an exhaustive search of public Internet records, measured the use of Domain-based Message Authentication, Reporting and Conformance, or DMARC.
“It is unconscionable that only eight percent of the Fortune 500, and even fewer [U.S.] government organizations, are protecting the public against email domain spoofing,” said Patrick Peterson, founder and executive chairman, Agari. A similar survey of federal government agencies earlier this month, by the Global Cyber Alliance, found fewer than five percent of federal domains were protected by switched-on DMARC.
The Agari survey found adoption rates similarly low among companies in the United Kingdom’s FTSE and Australia’s ASX 100.
DMARC is the industry standard measure to prevent hackers from spoofing emails — making their messages appear as if they’re sent by someone else. Spoofing is the basis of phishing, a major form of both cybercrime and cyber-espionage, in which an email appearing to a come from a trusted company like a bank or government agency contains malicious links, directing readers to a fake site which will steal their login and password when they sign on.
…
Only eight (8) percent of the Fortune 500 and less than five (5) percent of federal (US) domains have DMARC protection.
I expect DMARC protection rates fall rapidly outside the Fortune 500 and non-federal government domains.
If you are interested in transparency, for private companies or government agencies, the lack of DMARC adoption and use presents a golden opportunity to obtain otherwise hidden information.
As always, who you are and who you are working for, determines the legality of any phishing effort. Consult with an attorney concerning your legal rights and obligations.