Apr 25, 2018

Most federal IT contractors don't protect emails from fraud

Email app

Photo: Jaap Arriens/NurPhoto via Getty Images

Only one of the top 50 federal IT contractors has fully implemented an email protocol designed to prevent fraud, the Global Cyber Alliance advocacy group reports.

Why it matters: Without a contractor using the DMARC protocol, recipients of emails claiming to be from that contractor will not automatically double check whether those emails are authentic. That means incoming emails could impersonate the contractor and fraudulently ask a victim to transfer money for unpaid bills or log in to a phishing website.

The details: DMARC allows recipients of an email to double check with the purported sender that it actually sent the email. If an email is faked, that purported sender can instruct the recipient to reject the email, send it to the spam folder or do nothing at all.

  • Only one firm has the reject setting turned on, according to the GCA audit.
  • One firm requests fake emails be treated as spam.
  • 26 have DMARC, but don't instruct the recipient to do anything if emails are fraudulent.
  • 21 do not have DMARC installed.
  • One has DMARC improperly configured, and makes no request.

The rules: The Department of Homeland Security required agencies to begin installing DMARC last year, but the order did not extend to contractors.

Go deeper