About one-fourth of emails that purport to be from federal agencies are malicious phishing emails spoofing federal addresses, according to a Thursday report from the cybersecurity company Agari.
The study was based on Agari clients that use an email security feature called Domain-based Message Authentication, Reporting and Conformance, or DMARC.
The Homeland Security Department gave federal agencies three months to install DMARC on their email systems Monday as part of a larger email and web security drive.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
DMARC is already installed on about 85 percent of consumer email inboxes, including those from Gmail, Yahoo and Microsoft’s Outlook, but it’s less common on government and corporate email systems.
About 82 percent of government email inboxes appear to not be using DMARC at this point, according to the Agari report.
The Homeland Security move is aimed at preventing digital ne’er-do-wells from spoofing federal email domains, such as @irs.gov and @va.gov, to launch phishing attacks. It will also help protect federal employees from falling victim to phishing attacks.
Spoofed government email domains are particularly popular for phishing attacks because citizens presume they’re trustworthy or contain important information.
DMARC only works if it’s installed on both ends of a transaction. When that happens, the receiving inbox asks the sending inboxes’ email domain—@irs.gov for example—to authenticate that the sending address is legitimate before it delivers the message.
In the Agari test, one-fourth of emails that purported to be from federal government addresses failed that authentication. The vast majority of those emails were genuinely malicious, but some may have failed authentication for other reasons, an Agari spokesman told Nextgov.