A study conducted by cloud-based email security company Red Sift has found that only 12.5% of America's top 100 retailers have taken steps to prevent fraudulent emails from landing in their customers' inboxes.
The worrying finding emerged after Red Sift researchers looked into the DMARC status of companies featured in STORES Magazine’s Top 100 Retailers for 2019, along with their subsidiaries.
DMARC (Domain-based Message Authentication, Reporting & Conformance) is a globally ratified protocol that ensures emails are authenticated before they reach users’ mailboxes and confirms that they have been sent from legitimate sources.
If DMARC settings are configured to "reject," potential phishing emails can be stopped at the gateway. Alternatively, a company can choose the DMARC setting "quarantine" to redirect unauthenticated emails to the junk folder.
Red Sift researchers found that of the 120 unique sites they examined, only six had their DMARC set to "quarantine," and just nine had it set to "reject." A staggering 41 had no DMARC protection in place at all, while 64 "had DMARC in place, but online in monitoring mode," a Red Sift spokesperson told Infosecurity Magazine.
The retailers who opted for "reject"—the strongest form of protection—were Walmart, Verizon Wireless, Kohl’s, Gap, Wegmans, Tractor Supply Co., Burlington Coat Factory, IKEA, and Williams-Sonoma.
"Quarantine" was the configured DMARC setting for Amazon, Apple, Dress Barn, Lane Bryant, Wayfair, and Belk.
Red Sift co-founder & CEO Rahul Powar told Infosecurity Magazine that the study's most surprising finding was "the sheer volume of unprotected retailers, given the shift away from shopping malls to online, means an increased reliance on email for marketing and commerce."
Researchers also examined the DMARC settings of America's five leading delivery companies. Shoppers gearing up for Black Friday and Cyber Monday sales will be delighted to learn that UPS, FedEx, DHL, USPS, and Amazon all had DMARC protection set to either "reject" or "quarantine."
But even with DMARC protection set to maximum, shoppers are still vulnerable to cybercrime.
"DMARC will stop all impersonated emails that a fraudster tries to send from an exact domain, like www.ikea.com, but won’t stop emails from look-alike or cousin domains; for example, www.lkea.com or www.1kea.com. This is why the advice is to take a careful look at the sender’s email address, as these clunky fakes will be easy to spot," said Powar.
After admonishing shoppers to be cautious, Powar shared the following advice: "If an offer is too good to be true, that’s usually a sign that someone is trying to entice you into carrying out an action you’d usually think twice about—so just take a moment to check the basics.
"For example, making sure the 'from' email address looks right, hovering over links to check where they will take you before clicking, and finally, if in doubt, opening a new tab and navigating straight to the retailer’s website to find that bargain."