New research from leading cybersecurity and compliance company Proofpoint found one in four (25%) of Australia’s top 100 online retailers are not taking appropriate measures to protect consumers from potential email fraud and cyber crime.
According to the Australian Retailers Association, Australians are expected to spend a record $6.2 billion over the four-day shopping weekend, a $200 million increase on 2021. In the lead up, Australians are being urged to stay cyber safe in a year of record scam activity with the ACCC reporting online shopping scams have been the third most reported type of scam in 2022, with over 13,000 reports and more than $6.6 million in losses.(1)
Proofpoint’s analysis of Power Retail’s Top 100 retailers for 2022 and their adoption of DMARC(2), a widely used protocol that helps guarantee the identity of email communications and protects website domain names from being misused, has found:
- One quarter (25%) of online retailers have no DMARC record in place, leaving Australians open to email fraud.
- Almost a quarter (23%) of online retailers have implemented the highest level of protection to reject suspicious emails from reaching consumers’ inboxes.
- Forty-three per cent of online retailers have implemented a monitor policy, meaning unqualified emails still get to the recipient’s inbox.
- Nine per cent have implemented a quarantine policy to direct unqualified emails to spam/junk folders.
DMARC (Domain-based Message Authentication, Reporting and Conformance) authenticates an email sender’s identity before allowing a message to reach its intended destination, to make sure the sender is who they say they are to prevent cyber criminals from impersonating a trusted company or brand.
Proofpoint Senior Director, Advanced Technology Group, Asia Pacific and Japan, Steve Moros, says: “The influx of emails from brands offering great deals during the Black Friday and Cyber Monday shopping period makes it an opportune time for cyber criminals to capitalise on the spike in email traffic and target shoppers with creative and convincing lures. As Australians search the internet and check their inboxes for the latest shopping bargains, it’s important to remain vigilant and keep safe shopping practices front of mind.
“Email is a widely used marketing tool and therefore a popular channel for cyber criminals to leverage to conduct large-scale phishing campaigns to steal personal information or credit card details that can then be used to engage in identity and financial fraud. DMARC is widely viewed as best-practice in preventing suspicious emails from reaching the inbox, yet our research shows one in four retailers aren’t protected. This leaves them open to being impersonated by cyber criminals who can then deliver malicious emails to consumers’ inboxes.”
The Australian Cyber Security Centre’s ‘Annual Cyber Threat Report’ revealed that cyber crime reports increased nearly 13% in 2021 to 76,000 (or one report every seven minutes). Fraud, online shopping, and online banking were the top reported cyber crime types, accounting for 54% of all reports.
“The recent spate of high-profile cyber attacks has demonstrated the unfortunate consequences of cyber criminal activity and so our advice to Australians is to take extra care this shopping season, avoid clicking on suspicious links in emails and make sure to only shop through verified websites. Additionally, we encourage Australians to make sure they are doing their due diligence when shopping not just during Black Friday and Cyber Monday but whenever they’re spending money and giving out personal and financial information online,” Mr Moros said.
Proofpoint’s tips to stay safe when shopping online
- Use strong passwords – Do not reuse the same password twice. Consider using a password manager to make your online experience seamless, whilst staying safe.
- Watch out for ‘lookalike’ sites – Attackers create “lookalike” sites imitating familiar brands. These fraudulent sites may sell counterfeit (or non-existent) goods, be infected with malware, or steal money or credentials.
- Dodge phishing and smishing attacks – Phishing emails lead to unsafe websites that gather personal data, like credentials and credit card data. Watch out for SMS phishing too — aka ‘smishing’ — or messages through social media.
- Don’t click on links – Go directly to the source of the advertised deal by typing a known website address directly into your browser. For special offer codes, enter them at the checkout to see if they are legitimate.
- Verify before you buy – Fraudulent ads, websites, and mobile apps can be hard to spot. When downloading a new app or visiting an unfamiliar site, take time to read online reviews and any customer complaints.
What is DMARC?
DMARC is an open email authentication protocol designed to protect domain names from being misused by cyber criminals. It authenticates the sender’s identity before allowing the message to reach its intended recipient. Organisations using a DMARC protocol can implement three levels of policy for unqualified emails attempting to spoof their domains:
- Monitor (allows unqualified emails to go to the recipient’s inbox or other folders).
- Quarantine (directs unqualified emails to go to the junk or spam folder).
- Reject, the highest level of protection (blocks unqualified emails from getting to the recipient).
(1) Australian Competition and Consumer Commission’s Scamwatch Scam Statistics: 1 January 2022 – 30 September 2022.
(2) What is DMARC?.