Aussie banks fail on mail

Aussie banks fail on mail

Summary: Australian financial institutions and public companies are failing to use basic email security standards that could eliminate many of the phishing problems plaguing them.


Australian financial institutions and public companies are failing to use basic email security standards that could eliminate many of the phishing problems plaguing them.


(Mailbox image by Allen, CC BY-ND 2.0)

The open standards help verify the sender and contents of emails, which can prevent scammers from tricking users into sending financial details to criminals via emails or websites that appear to originate from legitimate sources.

Unfortunately, a US-based security body has reported that few Australian financial institutions are using the standards.

According to the Online Trust Alliance, only 28 per cent of Australian institutions use the Sender Policy Framework (SPF), which could stop scammers from using a bank's email address as their own.

"That's quite low because financial institutions suffer from phishing more than anyone else," alliance chair Manish Goel said. "This and DKIM (DomainKeys Identified Mail) can make a real difference to stopping phishing."

The numbers were the same for the Australian Stock Exchange (ASX) top 50 companies.

However, about 20 of the top 50 government agencies were using the SPF standard, which was "pretty good" and ahead of global trends, Goel said.

SPF is recommended by the Australian and US defence departments, along with DKIM and Transport Layer Security, which is the predecessor of extension of Secure Sockets Layer.

Another security measure called EVSSL (extended validation secure sockets layer) was also receiving little take-up. Only 14 per cent of Australian government agencies used it. About 16 per cent of the top 50 ASX companies used the protocol.

Goel said that the statistics were bad, given that companies had a duty to their customers to protect them.

"It is an obligation for security professionals to protect consumers. We rely on e-commerce," Goel said.

"If we don't step up to the mark, we miss the chance to self-regulate — and government regulation is at times much more expensive to comply with."

In further research, the association recorded more than 5000 instances of malware-infected advertising hosted over 1000 "trusted brand" websites.

Goel said blame lay with the 200-plus advertising networks that had accepted the malicious ads from a client and posted them on the publishers' websites.

About half of these malware ads had infected visitors to the websites with drive-by downloads.

Topics: Collaboration, Security, Telcos

Darren Pauli

About Darren Pauli

Darren Pauli has been writing about technology for almost five years, he covers a gamut of news with a special focus on security, keeping readers informed about the world of cyber criminals and the safety measures needed to thwart them.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • I was expecting discussion of digitally signed email using S/MIME and X.509 certificates - yet another feature that banks consistently fail to use to improve the trustworthiness of their email communications. DomainKeys and SPF help (a little) in controlling forged sender address mail, but do no good for fake domains, "cloaked" HTML email links, fake-letterhead emails, etc. Proper S/MIME use would help readers tell which mail *is* from the bank, not play a guessing game of exclusion.