During the COVID-19 pandemic, states are on the front line as they work to ensure the safety of their constituents and communities. Unfortunately, many state governments and health departments have not implemented email authentication best practices and may be unknowingly exposing themselves to cybercriminals looking to capitalize on the pandemic and potentially trick individuals with fraudulent emails.
In an examination of U.S. state governments and health departments, Proofpoint uncovered that 44 percent of these entities do not have a published DMARC (Domain-based Message Authentication, Reporting & Conformance) record, making them potentially more susceptible to cybercriminals spoofing their identity and increasing the risk of email fraud targeting users.
Further, 92 percent of all state governments and 88 percent of state health departments have not implemented the strictest and recommended level of DMARC protection. That setting and policy is known as “Reject” and actually blocks fraudulent emails from reaching their intended target. This figure includes 10 states that do not have a standalone health department site (separate from the state’s master .gov site).
DMARC, which is an email validation protocol designed to protect domain names from being misused by cybercriminals, authenticates the sender’s identity before allowing the message to reach its intended designation. It verifies that the purported domain of the sender has not been impersonated and relies on the established DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) standards to ensure the email is not spoofing the trusted domain.