Proofpoint analysis shows that 90% of the largest organizations in KSA and 80% in the UAE have published a DMARC record, compared to 73% of largest global organizations.
As Google, Yahoo! and Apple prepare to roll out new email authentication requirements designed to prevent threat actors from abusing email, research from leading cybersecurity and compliance company Proofpoint reveals that organizations in the UAE and KSA are more prepared with their email security best practices than global counterparts.
According to a DMARC (Domain-based Message Authentication, Reporting and Conformance) analysis of the Forbes Global 2000 companies, a majority of organizations in the UAE (80%) and KSA (90%) have published a DMARC record, compared to just 73% of the overall global listed companies.
DMARC is an email validation protocol designed to protect domain names from being misused by cybercriminals, decreasing impersonation risk for brands. It authenticates the sender’s identity before allowing the message to reach its intended designation. ‘Reject’ is the strictest and recommended level of DMARC protection, a setting and policy that blocks fraudulent emails from reaching their intended target.
As both Google and Yahoo! have announced that email authentication will need to be in place when sending messages to their respective accounts during the first quarter of this year, bulk senders will have even more email authentication requirements to meet, including having a robust DMARC policy in place.
Key Findings from the DMARC analysis of the Forbes Global 2000 include:
- More than one-quarter (27%) of the Global 2000 have no DMARC record in place at all, indicating they are unprepared for the upcoming email authentication requirements. This is compared to just 10% in KSA and 20% in the UAE.
- A staggering 69% of the Global 2000 are not actively blocking fraudulent emails from reaching their customers; with less than one-third (31%) having implemented the highest level of protection to reject suspicious emails from reaching their customers’ inboxes.
- More than half (57%) of the UAE companies listed in the Global 2000 are not proactively blocking fraudulent emails from reaching customers, with 43% implementing DMARC at reject level.
- The organizations listed in KSA are showing stronger levels of email security best practices, with less than half (43%) not actively blocking fraudulent emails (57% have implemented DMARC at the strictest and recommended level of reject).
“Countries in the GCC, especially the UAE and KSA, are continually improving their cyber preparedness, but they must continue to improve measures against fraudulent communication attempts via the number one threat vector – email. Cybercriminals regularly use the method of domain spoofing to pose as well-known organizations and companies by sending an email from a supposedly legitimate sender address. These emails are designed to trick people into clicking on links or sharing personal details, which can then be used to steal money or identities,” said Emile Abou Saleh, Senior Director for Middle East, Turkey and Africa at Proofpoint. “It can be almost impossible for an ordinary Internet user to identify a fake sender from a real one. By implementing the strictest level of DMARC – ‘reject’– organizations can actively block fraudulent emails from reaching their intended targets, protecting their customers, partners, and suppliers from cyber criminals looking to impersonate their brand.”
“Even as leading organizations adopt critical measures to prevent threat actors from sending malicious emails to targets, they will need to move quickly to comply with the new Google and Yahoo! email authentication requirements,” said Emile Abou Saleh, Senior Director for Middle East, Turkey and Africa at Proofpoint. “Companies that send to Gmail or Yahoo! must have Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) authentication methods implemented, as well as a DMARC policy in place.”