Email is the #1 way cybercriminals target governmental organizations and their constituents

Government agencies are typically regarded as highly credible and trustworthy resources for citizens, and cybercriminals will take any opportunity available to exploit that established trust. As governments increasingly communicate through email, bad actors increasingly impersonate governmental organizations via email for malicious purposes. This is especially common — and dangerous — during times when citizens are on the lookout for authoritative information, such as during elections, states of emergency, tax seasons or other uncertain times. DMARC helps prevent organizations from being spoofed in phishing attacks. And when it comes to sending legitimate email to constituents, DMARC can also improve email deliverability, streamlining vital communication between governments, government employees and citizens.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol used to protect an organization’s email channel from spoofs, phishing scams and other email-borne attacks. Established by Google, Yahoo!, Microsoft and others in 2012, DMARC builds on existing email authentication techniques SPF and DKIM to strengthen your domain’s fortifications against fraudulent use. DMARC is the best way for email senders and receivers to determine if a given message is authentically from the sender, and what to do if it is not. It also helps improve your organization’s email deliverability to the inbox.

DMARC Adoption in Governments Around the Globe

Brand impersonation is rampant in the public sector. Yet, according to a recent Mimecast global survey, 64% of public-sector organizations have not yet deployed DMARC. To increase DMARC adoption, several countries have made DMARC implementation mandatory or recommended for national government organizations, including:

  • The United States: In 2017, the Department of Homeland Security mandated that all federal government domains establish a DMARC policy of “p=reject” within a year.
  • The United Kingdom: The Government Digital Service updated security guidelines in 2016 to ensure all government domains publish a DMARC reject policy.
  • The Netherlands: The Standardization Forum mandated that all Dutch government organizations implement DMARC and set it to reject by the end of 2019.
  • Australia: Malicious Email Mitigation Strategies includes guidelines recommending all organizations (not just governmental) establish a DMARC policy set to reject.

The Impact of Government Impersonation Attacks

Governmental organizations can’t cut corners when it comes to keeping citizens safe. Constituents trust their local and federal agencies to do everything in their power to prevent cybercrimes. By capitalizing on that established trust, bad actors target potentially vulnerable people who are seeking health insurance, looking for tax assistance, trying to pay bills, registering to vote, renewing a driver’s license, trying to receive unemployment insurance benefits and more. When they’re successful, criminals can steal personal information, conduct fraud, deploy malware or ransomware, influence elections and more. Needless to say, a successful email domain spoof can deeply damage the government’s integrity, authority and trustworthiness.

DMARC Benefits for Governmental Organizations

DMARC helps secure all channels of communication between your agency, partners and constituents. Additionally, DMARC provides the following benefits to governmental organizations:

Online brand protection:
Local, state and federal agencies are common targets for cybercriminals to impersonate for malicious purposes. DMARC protects your brand’s integrity by keeping your organization out of their arsenal of easily spoof-able email domains.

Increased email deliverability:
By deploying DMARC authentication, you signal to email receivers that your organization’s emails are legitimate, ensuring they’re delivered to the inbox rather than blocked or sent to the spam folder.

A published policy that instructs ISPs and other email receivers to deliver, quarantine or delete emails:
With DMARC, you can decide if potential abuses of your email domain are solely reported back to you without further action, quarantined for further review or — the golden standard — automatically rejected.

Greater visibility into cyber threats:
DMARC’s reporting capability enables you to monitor all authorized third parties that send emails on your behalf, alongside those that are not authorized. This helps ensure compliance with security best practices and aids investigations into email security or phishing issues.

Prevent Email Phishing and BEC Attacks

In 2016, the UK Revenue & Customs Department stopped over 300 million phishing attempts by implementing DMARC. This statistic is just one of many that underscores the inherent susceptibility of email. 95% of all cyberattacks start with email, and of those email-borne attacks, 91% are phishing scams. Why? The hard secret of email is that because it is so easy to set up, it’s easy for cybercriminals to create a fake email account exploiting your organization’s email domains. Countless reputable government organizations have been exploited by criminals to execute phishing and BEC attacks on citizens and government employees. Because government agencies rely so heavily on credibility and trust, any association with criminal phishing campaigns can be devastating — especially when they could have been prevented by enforcing stricter security standards like DMARC.


How to be DMARC Compliant

In order to achieve maximum return on your DMARC investment, governmental organizations must complete the necessary steps to correctly implement DMARC. Mimecast embarked on our own journey to enforce DMARC across all of our owned domains in 2020, and the project was documented in a three-part blog series for other organizations to use for reference. It’s important to note that while DMARC is a key component of any email security program, it is not a standard that can be deployed, configured, activated and then forgotten. Once you have set your DMARC policy to reject, it’s vital that your organization establishes a program of ongoing monitoring, as the online threat landscape is not static. In addition, most organizations are regularly deploying new, legitimate email senders that need to be managed as part of the organization’s DMARC program.