A study of top companies in the United States, United Kingdom and Australia has found a majority have not yet implemented basic protections designed to protect against phishing attacks.

More specifically, they haven’t embraced Domain-based Message Authentication, Reporting and Conformance, or DMARC, which can help detect and prevent phishing, a method of impersonating people that targets know so they let down their defenses.

The research, from email security firm Agari Data Inc., found that 92 percent of U.S. Fortune 500 companies have left their customers, partners and brand names vulnerable to domain name spoofing and that conversely, only 8 percent of companies have implemented a full level of appropriate DMARC protections.

DMARC is an email-validation system designed to detect and prevent email spoofing, which is forging an email header so it looks like the message is from a legitimate source. It is designed to combat certain techniques often used in phishing and email spam. DMARC is claimed to virtually eliminate domain name spoofing and its associated attacks and is supported by major email providers, including Google Inc., Microsoft Corp. and Yahoo Inc.

By the numbers, only 39 of the Fortune 500 are enforcing DMARC with a quarantine or reject policy. An additional 124, or 24 percent, have adopted some DMARC policy protections that monitors but does not prevent domain name spoofing. The remaining 337 companies have done nothing at all.

Across the pond, the numbers don’t get any better. Only one company listed on the Financial Times Stock Exchange 100, the U.K. stock market index, has implemented a full DMARC quarantine spam folder policy, and only 6 percent had implemented a DMARC reject policy. Two-thirds percent have not published any DMARC policy at all. The numbers in Australia are just as bad, with 73 percent of companies listed on the Australian Stock Exchange 100 having no DMARC policy in place.

“DMARC is an essential tool that helps prevent spam, phishing and data loss,” Shehzad Mirza, director of operations of Global Cyber Alliance said in a statement. “GCA urges organizations of all sizes to embrace this technology standard to eliminate direct domain spoofing.”

Agari Executive Chairman Patrick Peterson noted that the problems are preventable using DMARC. “It is unconscionable that only 8 percent of the Fortune 500, and even fewer government organizations, are protecting the public against domain name spoofing,” he said.

Image: Agari