One out of every eight emails sent from what looked like a government address in October was a phony email sent by hackers and spammers, according to data released Friday and Monday by the cybersecurity firm Proofpoint.
About 10 percent of those spoofed emails came from IP addresses outside the U.S., the company said.
In the case of one agency that Proofpoint doesn’t name, 80 percent of spoofed emails that appeared to come from the agency actually originated from Russian IP addresses.
Digital miscreants may spoof a government email to con the recipient into responding with personal information or clicking a link that contains malware.
The report comes as agencies are in the midst of installing new email security protections ordered by the Homeland Security Department known as DMARC.
Agencies have until Jan. 16 to install the updated protections, which would prevent hackers from spoofing emails from government domains in most circumstances.
The Proofpoint study was based on roughly 70 million messages visible on systems protected by the company and includes federal, state and local government email addresses, the company said.
The emails spoofed 296 federal departments and agencies, ranging from extremely large departments to very small ones.
DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, pings a sender’s email domain—such as Commerce.gov—and asks if the sender is legitimate. If the domain says the sender is illegitimate, DMARC can send the email to the recipient’s spam folder or decline to deliver it at all.
DMARC must be installed on both a sender’s and a recipient’s email services to work. If it is, the tool will both prevent federal employees from opening phishing emails from spoofed accounts and prevent hackers and spammers from spoofing federal domains to trick people into opening malicious emails.
About 85 percent of consumer email inboxes use DMARC, including Google’s Gmail, Microsoft’s Outlook and Yahoo Mail.
About 26 percent of agencies were using some level of DMARC protection as of Nov. 6 and 10 percent were using the highest level, which would reject those spoofed emails unread, according to a study by the Global Cyber Alliance.
An October report from the cybersecurity firm Agari found that one in four emails sent to Agari customers that purported to be from government addresses was actually phony. That study only included Agari customers who used DMARC protection.