author photo
By Clare O’Gara
Tue | Jun 2, 2020 | 4:45 AM PDT

Throughout COVID-19, two major groups in the U.S. have been on the front lines in the fight to protect the safety of citizens: state governments and healthcare.

But according to Proofpoint, these organizations are struggling to safeguard their own cybersecurity.

Data reveals holes in email fraud response

There are a few things we constantly rely on, particularly during a global pandemic.

The first? Organizations and agencies that support citizens, like state governments and healthcare. The second is effective communication.

Unfortunately, recent data from Proofpoint demonstrates how these organizations are facing challenges regarding the security of their communications.

According to the research, 44% of these entities do not have a published Domain-based Message Authentication, Reporting & Conformance (DMARC) record.

DMARC, which is an email validation protocol designed to protect domain names from being misused by cybercriminals, authenticates the sender’s identity before allowing the message to reach its intended designation. It verifies that the purported domain of the sender has not been impersonated and relies on the established DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) standards to ensure the email is not spoofing the trusted domain.

Without that record, these groups may be at a higher risk of email fraud.

But the numbers get scarier. How many of these entities have not implemented the strictest and recommended level of DMARC protection?

•  88% of state health departments
•  92% of state governments

And these shortcomings have resulted in serious impacts, according to Proofpoint:

"Proofpoint has identified more than 300 COVID-19 themed scams to date, accounting for more than 500,000 messages, 300,000 malicious URLs, and 200,000 malicious attachments.

Cybercriminals regularly use domain spoofing to pose as trusted entities and take advantage of weaknesses in email protocols to send a message under a supposedly legitimate sender address. This makes it difficult for an ordinary Internet user to identify a fake sender."

As states begin to converge on reopening strategies, one thing is clear: protecting the safety of their citizens is far from the only challenge they will be facing.