Some of the largest Mass. organizations are vulnerable to phishing, survey says
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Aïda Amer/Axios
Some of Massachusetts' largest companies are vulnerable to phishing attacks, a new survey suggests.
Why it matters: Massachusetts, a hub for higher education, health care, tech and financial services, lost more than $664,000 in 2024 from phishing attacks alone, per the latest FBI data.
- Massachusetts lost more than $25 million in 2024 from data breaches overall, which can include phishing attacks.
Driving the news: A review of the 100 largest Massachusetts corporations, nonprofits and public agencies shows 42% have fully enforced the email authentication standard known as DMARC, per the cybersecurity firm Red Sift.
- Another 26% in Massachusetts reported some enforcement, such as quarantining questionable emails.
- 28% aren't enforcing the DMARC protocol and are passively monitor and report fake emails, while 4% didn't have an email security protocol in place.
- The companies that haven't adopted the standard are left vulnerable to phishing attacks, says Brian Westnedge, vice president of alliance and partnerships at Red Sift.
How it works: Domain-based Message Authentication, Reporting and Conformance can reject or quarantine spoofed emails.
- DMARC policies ensure that the emails that reach an inbox actually come from the organization they claim to represent (like confirming an email from an axios.com address actually came from Axios), Westnedge says.
- DMARC has become the standard since Google, Yahoo and Microsoft announced in 2024 that their accounts would only accept emails from senders with those protections in place.
The company analyzed 700 domains across seven states and found that 43% hadn't enforced or didn't have DMARC protocols, while 35% reported full enforcement.
- Red Sift declined to name the companies that haven't bolstered their email security standards, saying it agreed to keep the responses confidential.
Caveat: Massachusetts' sample size is a drop in the bucket compared to the hundreds of thousands of companies in the state, but Red Sift says the survey offers a glimpse of the email security protections businesses have in place.
- If the state's largest organizations haven't fully adopted stronger protections, chances are small businesses with no IT staff and fewer resources overall haven't either.
What they're saying: "If you send email, you're a target," Westnedge says.
- "Small businesses [are] just as much of a target as a large business because, especially small businesses, may not have adopted the stricter security measures that large businesses have budgets to address."