Recently, it came to light that former Secretary of State, Hillary Clinton received several phishing emails in the form of fake speeding tickets. According to Politico magazine, a Clinton aide confirmed that the five phishing messages, first reported by the Associated Press, made it into the inbox because they were sent from fake addresses such as” info.5@nyc.gov,” and the protocol established by Clinton’s lawyers presumed all messages containing a .gov address were work related.
Image may be NSFW.
Clik here to view.
This, along with the recent news that CIA Director John Brennan’s and Department of Homeland Security Secretary Jeh Johnson’s personal emails had been hacked sparked our interest at Return Path, and we began to investigate the adoption of DMARC (Domain Based Messaging Reporting and Conformance) by .gov domains.
First, we analyzed 5,300 .gov domains for DMARC and SPF records. What we found was astonishing. Only 105 domains had an SPF record and only 23 domains had a DMARC record in place. Of those with a DMARC record only four had a DMARC policy of quarantine or reject, leaving the rest of the domains susceptible to spoofing and phishing attacks. This is scary if some messages are being treated as legitimate based on their .gov address alone.
Our next step was to determine how much traffic .gov websites are currently receiving. Analytics.usa.gov states that .gov websites had over 1.46 billion visits in the past 90 days. A few of these top visited sites include The United States Social Security Administration, Internal Revenue Service, and The White House, each of which have areas on the site for a user to subscribe to receive email communications.
The problem here is glaring: extremely high amount of traffic on .gov websites, combines with highly sensitive information that can be obtained make for a perfect target for phishers. It is blatantly obvious that any sophisticated attack could have detrimental consequences.
With research estimating that 97% of people around the globe cannot identify a sophisticated phishing email, education is crucial. It is imperative that executives in organizations to educate their employees on how to identify a phishing message. In addition, if you are in charge of an email program at a government organization, whether that organization be the United States Social Security Administration or the City of New York, arming your domain space with DMARC technology is a great step towards increased security.
Edward Tucker, Head of Cyber Security for Her Majesty’s Revenue & Customs, has been protecting UK citizens from email fraud for many years now. He comments: “Simply put, the DMARC standard works. In a blended approach to fight email fraud, DMARC represents the cornerstone of technical controls to rebuild trust and retake the email channel for legitimate brands and consumers”.
Check out our Getting Started with DMARC guide to find out how to learn how to start protecting your organization from email fraud.
