IT Brief New Zealand - Technology news for CIOs & IT decision-makers
Story image
Non-profits have inadequate phishing protection - report
Tue, 28th Mar 2023
FYI, this story is more than a year old

Only 1.2% of .org domains globally have implemented measures to prevent email phishing, spoofing, and ransomware attacks, according to new research. 

This figure rises to only 20% among the top 100 US non-profits .org domains by traffic.

New research from email security provider EasyDMARC reviewed a dataset of 9,935,024 verified .org email domains. EasyDMARC found that only 376,497 (3.8%) domains had implemented the Domain-based Message Authentication, Reporting and Conformance (DMARC) security standard. 

The DMARC standard enables the automatic flagging and removal of receiving emails which are impersonating senders domains, which is a crucial way to prevent outbound phishing and spoofing attempts. Despite the standard being over a decade old, this research indicates a widespread under-adoption of the standard among non-profits.

While there is a greater degree of DMARC adoption among the 100 most popular US non-profits by traffic, one in four still has not deployed the standard. Further, only 20% of the top 100 US .org domains have both deployed DMARC and implemented a reject policy that automatically rejected emails impersonating a legitimate domain. 

The research also signals a failure by the global non-profit sector to adequately configure DMARC when implemented. Among the small minority of the global .org domains tested that employ DMARC, 171,486 (45.6%) had incorrectly configured it. As a result, these organisations lacked visibility into any impersonating emails they received or blocked.

Globally among non-profit domains using DMARC, only 121,290 (32.2%) had implemented a reject policy that automatically rejected emails impersonating a legitimate domain. Most domains employing DMARC had configured it to do nothing about impersonating emails, with 218,777 (58.1%) domains having no policy. 55,281 (14.7%) had configured DMARC to send impersonating emails into quarantine.

"Impersonating email domains is one of the main tools used in successful phishing, spoofing, and ransomware attacks," says Gerasim Hovhannisyan, EasyDMARC CEO and co-founder.

"That is why its so worrying to see our research indicate that only 1.2% of global non-profits have implemented domain authentication via DMARC, which remains the best way to curb this threat.

"With phishing and ransomware attacks rising dramatically, a widespread lack of domain authentication leaves the non-profit sector incredibly vulnerable to cyber-criminals," he says. 

"Without taking steps to rectify this, many charitable and philanthropic organisations are at risk of significant disruption and financial losses."

Global data

Total checked .org domains: 9,935,024
Has DMARC: 376,497
Policy equals to none: 218,777
P equals to quarantine: 55,281
P equals to reject: 121,290
Syntax error: 18,851
No RUA/RUF tags: 171,486

EasyDMARC conducted research into the 100 most popular US non-profits by traffic.

Top 100 US .org domains by traffic

Has DMARC: 75
p=none: 41
p=quarantine: 14
p=reject: 20
Has DMARC without monitoring: 3