Only 50% of the top 50 Oil & Gas companies in the Middle East have DMARC record in place finds Proofpoint

Proofpoint today released research identifying that only 25 (50%) of the top 50 Oil & Gas companies that have operations in the Middle East have a Domain-based Message Authentication, Reporting & Conformance (DMARC) record in place, meaning that half of them are leaving customers at heightened risk of email fraud. The lack of a DMARC record makes companies potentially more susceptible to cybercriminals spoofing their identity and increasing the risk of email fraud targeting their customers.

Only 5 out of 50 (10%) oil and gas companies have ‘reject’ in place, which means a whopping 90% are not proactively blocking fraudulent emails from reaching customers. Reject is the strictest and recommended level of DMARC protection, a setting and policy that actually blocks fraudulent emails from reaching their intended target. The COVID-19 pandemic has seen a spike in highly targeted attacks against the energy industry, deployed through email.

Emile Abou Saleh, Regional Director, Middle East and Africa at Proofpoint, commented: “During the pandemic, oil and gas companies are relying heavily on digitalization to maintain business continuity. This has motivated targeted spear phishing campaigns against the energy vertical. At a time when opportunistic cyber criminals are exploiting global uncertainty, a majority of the oil and gas companies in the region are leaving their customers vulnerable to email fraud. By not implementing adequate email protection they are exposing themselves to phishing, impersonation attacks and other unauthorised use of corporate domains. This is despite email remaining the number one threat vector for cybercriminals.”

DMARC, which is an email validation protocol designed to protect domain names from being misused by cybercriminals, authenticates the sender’s identity before allowing the message to reach its intended designation. It verifies that the purported domain of the sender has not been impersonated and relies on the established DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) standards to ensure the email is not spoofing the trusted domain.

“Energy companies need to ensure that the communication methods they use are secure. We recommend implementing robust email defences and inbound threat blocking capabilities (including deploying DMARC email authentication protocols),” added Emile Abou Saleh.