Most Fortune 500 companies aren't using this basic email security feature

The email security feature would cut down on the majority of phishing scams and spam email.


(Image: file photo)

Almost every company in the Fortune 500 is prone to phishing attacks because they don't use a basic security feature that prevents email spoofing.


Cyber security 101: Protect your privacy from hackers, spies, and the government

Simple steps can make the difference between losing your online accounts or maintaining what is now a precious commodity: Your privacy.

Read More

More than nine out of 10 listed companies are not using a domain-based message authentication, reporting, and conformance policy (known widely as DMARC) on their corporate domains, an email validation system used to verify the identity of an email sender, which protects against spoofed emails and phishing attacks.

That's according to a report by cybersecurity firm Agari, which said only 39 companies in the list of 500 firms have a policy that marks unauthenticated messages as spam or rejects them entirely.

Agari didn't name the companies that fared the worst in the report, but told ZDNet that several telecom and tech-oriented companies dominated the list of companies who applied the strongest levels of DMARC email security.

Amazon, Time Warner, Verizon, Visa, and Walmart are among the firms that mark unauthenticated messages as spam, while Adobe, Alphabet (Google's parent company), Facebook, Fedex, Microsoft, Netflix, PayPal, and Yahoo reject emails that haven't come from an authenticated domain.

"It is unconscionable that only eight percent of the Fortune 500, and even fewer government organizations, are protecting the public against domain name spoofing," said Patrick Peterson, Agari's executive chairman.

"Phishing and other forms of digital deception are preventable, and the first step is for our largest companies and organizations to deploy DMARC, a highly-effective open standard," he said in remarks.

It's not the first time that companies have been called out for not using DMARC across their organizations. The chief of the UK's National Crime Agency cybersecurity unit recently said that the protocol's widespread adoption would result in a "significantly reduced" spam problem.

But it's not just private corporations. Even government departments, like Homeland Security -- charged with protecting the US cyberspace, don't use the email validation system.

Sen. Ron Wyden (D-OR) criticized the department's policy in July, calling an implementation of DMARC "a no-brainer that increases cybersecurity without sacrificing liberty."

A month later, Homeland Security still hasn't rolled out DMARC.

Got a tip?

You can send tips securely over Signal and WhatsApp at 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More