Online Businesses Not Doing Enough to Stop Phishing Scams
Online businesses need to do a better job of protecting consumers from phishing scams, according to a new study from the Federal Trade Commission. With some small coding adjustments within their websites, retailers and organizations could significantly improve their security measures and prevent scammers from masquerading as their business.
The FTC found 86% of online businesses use Sender Policy Framework, which allows Internet Service Providers to determine if an email address is actually coming from the business it claims to be. This is a positive development, but it doesn’t address the entire problem. Less than 10% of businesses have adopted a secondary technology known as Domain Message Authentication Reporting & Conformance (DMARC). This lets the business know when another entity is trying to scam its customers, and allows the business to alert ISPs to reject any messages coming from the scammer. This could stop the phishing before it ever becomes a problem.
There are different levels of DMARC technology, depending on how much action the business wants to take. Each business can tell the program what to do with the intelligence it receives. Rejecting emails from the scammer is the most aggressive approach, but is only used by 9% of businesses that have Sender Policy Framework. 2% of businesses use the quarantine setting, which flags the emails as spam rather than completely blocking them from a user’s inbox. 23% of businesses do not have any settings for their DMARC, meaning they have not yet specified what to do during a phishing scam.
The FTC says online businesses have made strides in email authentication, but there is still room for improvement.
“Wider implementation of DMARC with the ‘p=reject’ instruction could further combat phishing by keeping these scam emails from ever showing up in consumers’ inboxes.”