Anti-spoofing e-mail standard not used by many Singapore firms

SINGAPORE – Even though scams have been on the rise amid the Covid-19 pandemic, many companies in Singapore have not taken up a security standard to better fight against attempts by crooks to send spoofed and fraudulent e-mails in the firms’ names.

The country’s adoption rate of the standard, which can relegate spoofed e-mails to spam folders or block them, also pale in contrast with those of other countries, according to a recent study.

Still, cyber-security experts said the e-mail security standard – which is called the Domain-based Message Authentication, Reporting and Conformance (Dmarc) protocol – is not foolproof and has to be used with other measures.

The study found that, as at mid-March, 41 per cent of the top 200 listed firms on the Singapore Exchange have adopted the anti-spoofing standard.

In contrast, 71 per cent of the top 200 listed firms on the Australian Securities Exchange have adopted it, according to the study released by cyber-security firm Proofpoint on April 7.

The rate is 85 per cent for London Stock Exchange-listed blue chip companies in the Financial Times Stock Exchange 100 Index, and 82 per cent for the top American firms in the Fortune 1,000 list.

The findings come after victims here lost at least $633.3 million to scams last year, up from $268.4 million in the previous year, the police said in February.

A survey late last year by e-mail security provider Mimecast also found that, in the past 12 months, 84 per cent of companies here received more e-mail-based threats.

Crooks have used fake e-mails to scam victims of money, phish information and deliver malware.

The Dmarc standard was published in 2012 to help fight fraudulent e-mails, and the companies involved included e-mail service providers such as Gmail and Hotmail. It builds on other standards to verify that e-mails are from legitimate senders.

What Dmarc does that the other standards do not, is tell e-mail services what to do with unverified e-mails. At the lowest setting, it monitors such messages and lets them through, but sends to legitimate senders reports on fake and real e-mails that recipients get, so senders can adjust their e-mail settings and other measures first.

“Dmarc gives organisations the power to govern their e-mail domains and have visibility over which e-mails are being sent on their behalf,” said Mr Stanley Hsu, Mimecast’s regional vice-president.

Senders can then set Dmarc to move fake e-mails – made to look like they were sent by them – to recipients’ spam folders and, at the strictest level, block them outright.

E-mail recipients have other ways to filter fake messages but how they deal with them might not be consistent. Dmarc seeks to standardise this.

Dmarc also plugs another gap by ensuring the e-mail address that a recipient sees meshes with e-mail components verified by the other standards. So, many cyber-security experts believe Dmarc must be adopted with the other standards.

Proofpoint said Dmarc adoption here could be lower than elsewhere because of low awareness of the protocol’s importance.


This website uses cookies. By continuing to use this site, you accept our use of cookies.