Toronto, CANADA – August 24, 2023 – Proofpoint, Inc., a leading cybersecurity and compliance company, today released new research identifying that more than three in four leading Canadian energy companies (77%) are lagging behind on basic cybersecurity measures, subjecting their customers, staff and stakeholders to a higher risk of email-based impersonation attacks.
These findings are based on a Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of the 40 largest energy companies in Canada. DMARC is an email validation protocol designed to protect domain names from being misused by cybercriminals to launch phishing and email fraud attacks. It authenticates the sender's identity before allowing a message to reach its intended recipient, such as energy customers or employees. DMARC has three levels of protection – monitor, quarantine and reject1, with reject being the most secure for preventing suspicious emails from reaching the inbox.
Proofpoint’s research reveals only nine (23%) of Canada’s leading energy companies have implemented the strictest and recommended level of DMARC (reject), meaning 77% have not taken appropriate measures to proactively block spoofed emails from reaching recipients’ inboxes, increasing the risk of email fraud. 10 energy companies (25%) only have a monitoring policy in place for spoofed emails, thereby still allowing potentially malicious spoofed emails into the recipient’s inbox.
67% of the leading energy companies in Canada have taken the initial steps to protecting customers from email fraud by publishing a basic DMARC record. Yet, 33% have no DMARC protection in place at all and are therefore exposed to cybercriminals impersonating their domains to target customers with email fraud.
“As the energy sector is key to both Canada’s economy and its national security, these industry organizations have become prime targets for cybercriminals,” said Jeffrey Freedman, area vice president, Canada, Proofpoint. “Due to the high value of the industry’s assets, such intellectual property, trade secrets, and vast amounts of customer data, it is critical that energy organizations prioritize cybersecurity measures to safeguard against potential cyber threats and protect their customers’ data.”
The Canadian Centre for Cyber Security recently advised that financially motivated cybercrime, particularly business email compromise (BEC) and ransomware, is the main cyber threat facing the Canadian energy industry. BEC is a form of social engineering designed to trick victims into thinking they have received a legitimate email from a senior employee within an organization requesting money or sensitive information be sent. According to Proofpoint’s 2023 State of the Phish report, 62% of Canadian organizations reported an attempted BEC attack last year.
“Email authentication protocols such as DMARC are essential in fortifying defenses against email fraud and safeguarding customers, staff and stakeholders from malicious attacks,” continued Jeffrey Freedman. “While individuals play a crucial role in defending against email fraud, their actions also present one of the biggest vulnerabilities for organizations. DMARC remains the only technology capable of not just defending against but eliminating domain spoofing and the risk of impersonation. By achieving full DMARC compliance, organizations can prevent malicious emails from reaching the inboxes and eliminate the risk of human interference.”
Best practices for customers, staff, and other stakeholders:
This analysis was conducted in August 2023 using data from the list of S&P's TSX Composite Energy Sector Index, comprised of the 40 largest Canadian energy organizations, as measured by total assets.