Report: Smaller banks not shouldering email security burdens



Written by

The top five U.S. banks have all adopted an email security protocol that helps guard customers against phishing — but none of the 50 fastest growing community banks in the country have done so, according to new data.

Domain-based Message Authentication, Reporting and Conformance, or DMARC, is a way of preventing email spoofing — when hackers or cybercriminals send messages purporting to come from someone else’s email address. Because spoofed messages often contain malicious links or attachments designed to infect the recipient with malware and steal financial information, “adopting DMARC helps companies protect their customers, protect their brand and make their email more trustworthy,” according to Phil Reitinger of the Global Cyber Alliance.

“When correctly implemented, DMARC ensures that the vast majority of consumers will no longer receive spoofed email purporting to come” from the DMARC-implementer’s domain,” Reitinger said.

The alliance has a portal where consumers can check if their bank or any other company they do business with uses DMARC. “Anyone can plug the domain of their bank or any other company into the box,” to see whether they have DMARC implemented, Reitinger said.

Using its own tool, Reitinger said, GCA found that all of the top five U.S. banks — JP Morgan Chase, Wells Fargo, Bank of America, Citibank and U.S. Bank — but only 11 of the top 50 have deployed DMARC. And none of the 50 fastest growing smaller community banks — a list which includes several with multi-billion dollar valuations — has done so.

In Europe, only 9 of the top 50 banks have deployed the tool, which was developed six years ago by major email providers, e-commerce companies and social media networks.

“All financial institutions really ought to be deploying DMARC,” Reitinger said.

For the 39 top 50 U.S. banks that haven’t fully implemented the protocol, “the good news,” said Reitinger, is that 22 have begun implementation — having DMARC deployed but not fully enabled.

“There are some signs that there could be more progress over the next year or two,” as those companies move to fully enable their deployments, he said.

Because large corporations typically have very complicated email environments, involving cloud services and other third-party providers sending on the company’s behalf, experts say that it makes sense for initial DMARC deployment to be low impact.

“Improper deployments, which don’t take account of cloud services and other providers, can cause the company’s legitimate mail to be marked as spoofed and filtered into spam folders or directly into the trash,” said Reitinger. “That’s why it’s considered best practice to implement it at the lowest setting first.”

GCA’s board chairman and Barclays Bank Group CISO Troels Oerting says his company had begun its deployment in this way. “We have tested and used DMARC in monitoring mode and are moving into ‘reject’ mode to protect the more than 60 million emails we distribute monthly,” he said in a statement.

Oerting added that “We need more companies to deploy DMARC to strengthen the ecosystem.”

DMARC builds on two earlier email security measures — Sender Policy Framework, or SPF, and Domain Keys Identified Message, or DKIM. Both of these involve the sender authenticating the message in some way. DMARC is different in that it involves the recipient, too.

“The more companies that deploy DMARC, the more secure the ecosystem becomes,” explained Reitinger. As the volume of DMARC-protected email rises as a percentage of total email volume, so the confidence with which non-DMARC mail can be diverted to spam folders increases.

“We need DMARC to be not just a best practice, but a best common practice,” he concluded.