New research has revealed that 93 percent of global airlines registered with the International Air Transport Association (IATA) are leaving travellers vulnerable to email fraud due to their lack of compliance with recommended DMARC protection standards.
Security firm Proofpoint, that conducted the research, said it found that a vast majority of global airlines had failed to adopt recommended DMARC protocols, thereby leaving travellers open to phishing, impersonation attacks and other unauthorised use of corporate domains at a time when millions across the globe are waiting for notifications from airlines about flight schedules and information about the resumption of flights to their destinations.
Proofpoint found that while 93 percent of global airlines registered with the International Air Transport Association (IATA) have not implemented the strictest and recommended level of DMARC protection, as many as 61 percent do not have a published DMARC record at all. IATA member airlines represent 82 percent of total air traffic.
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an active cyber defence protocol that allows organisations to authenticate their communications as genuine, thereby enabling their customers to separate genuine emails from fraudulent ones and protect themselves from various kinds of email fraud.
According to cloud data intelligence firm OnDMARC, cyber criminals and fraudsters can easily use cloud hosting companies like AWS and Google Cloud, other high reputation cloud-based senders like Sendgrid, or even public websites to impersonate an unprotected domain.
Global airlines lagging behind in DMARC adoption
Even though the number of valid DMARC policies across the world has risen steadily over the past few years, increasing by roughly 300% over the course of 2019 from just 630,000 valid DMARC policies in 2018 to 1.89 million at the end of 2019, Proofpoint's research indicates that the number of DMARC policies adopted by organisations worldwide, at least by global airlines, is nowhere near sufficient as yet.
The security firm found that while 85 percent of airlines in China & North Asia have no published policy at all, 70 percent of airlines in the Asia Pacific, 57 percent of airlines in Europe and the Middle East & Africa, and 43 percent of airlines in the Americas have no published policy and therefore lack visibility into the unauthorised use of their domains.
Organisations that have adopted the strictest DMARC policy can be considered very much proactive in protecting their customers from email fraud, domain phishing, and spear-phishing attempts. On this front, global airlines were found woefully lacking with not a single airline in China & North Asia having the strictest DMARC policy in place.
Proofpoint also found that 93 per cent of airlines in Europe and the Middle East & Africa and 89 per cent in the Americas and the APAC region did not have the strictest DMARC policies in place.
"While the travel sector has always been a ripe target for cyber criminals, the pandemic has offered new grounds for the targeting of travellers globally. Whether booking new flights, or seeking information on flight cancellations, one thing remains the same: many people worldwide are eagerly awaiting communication from airlines.
"It is critically important that the communication methods used by airlines and every other industry is secure. We recommend implementing robust email defences and inbound threat blocking capabilities (including deploying DMARC email authentication protocols)," the firm added.
Over 60% of UK banks have no published DMARC record at all
In May this year, Proofpoint also revealed in a separate study that only 13 out of the 64 (20%) banks accredited by the UK government for Coronavirus Business Interruption Loan Scheme (CBILS) loans had implemented the strictest level of DMARC (Domain-based Message Authentication, Reporting & Conformance) protection.
The firm found that while 80 per cent of accredited UK banks did not have the strictest DMARC policies in place to authenticate their communications with customers and other firms, 61 per cent of such banks had no published DMARC record at all, leaving themselves wide open to impersonation attacks.
“By not implementing simple, yet effective email authentication best practices, these accredited organisations are putting already vulnerable businesses at even greater risk, whilst COVID-19 related attacks are on the rise,” said Adenike Cosgrove, Cybersecurity Strategist, International at Proofpoint.
“In times of urgency and uncertainty, individuals are much more susceptible to these kinds of attacks, particularly if a fraudulent email looks like it has come from a genuine domain. In tandem with the fact that the UK government has mandated this email authentication standard for public sector organisations, having the recommended level of DMARC protection is essential for any organisation accredited for the CBILS,” she added.
ALSO READ: Despite March deadline, 72% of gov.uk domains haven’t set up DMARC yet