Largest UAE, Saudi firms ahead of global counterparts in blocking fraudulent emails from reaching customers

Proofpoint analysis shows that 90% of the largest organisations in Saudi Arabia and 80% in the UAE have published a DMARC record

by

Somshankar Bandyopadhyay

  • Follow us on
  • google-news
  • whatsapp
  • telegram

Top Stories

Published: Sat 17 Feb 2024, 10:44 PM

Last updated: Sun 18 Feb 2024, 10:16 PM

As Google, Yahoo! and Apple prepare to roll out new email authentication requirements designed to prevent threat actors from abusing email, research from leading cybersecurity and compliance company Proofpoint reveals that organisations in the UAE and Saudi Arabia are more prepared with their email security best practices than global counterparts.

According to a DMARC (domain-based message authentication, reporting, and conformance) analysis of the Forbes Global 2000 companies, a majority of organisations in the UAE (80 per cent) and Saudi Arabia (90 per cent) have published a DMARC record, compared to just 73 per cent of the overall global listed companies.


DMARC is an email validation protocol designed to protect domain names from being misused by cybercriminals, decreasing impersonation risk for brands. It authenticates the sender’s identity before allowing the message to reach its intended designation. ‘Reject’ is the strictest and recommended level of DMARC protection, a setting and policy that blocks fraudulent emails from reaching their intended target.

As both Google and Yahoo! have announced that email authentication will need to be in place when sending messages to their respective accounts during the first quarter of this year, bulk senders will have even more email authentication requirements to meet, including having a robust DMARC policy in place.


Key Findings from the DMARC analysis of the Forbes Global 2000 include:

•More than one-quarter (27 per cent) of the Global 2000 have no DMARC record in place at all, indicating they are unprepared for the upcoming email authentication requirements. This is compared to just 10 per cent in Saudi Arabia and 20 per cent in the UAE.

•A staggering 69 per cent of the Global 2000 are not actively blocking fraudulent emails from reaching their customers; with less than one-third (31 per cent) having implemented the highest level of protection to reject suspicious emails from reaching their customers’ inboxes.

•More than half (57 per cent) of the UAE companies listed in the Global 2000 are not proactively blocking fraudulent emails from reaching customers, with 43 per cent implementing DMARC at reject level.

•The organisations listed in Saudi Arabia are showing stronger levels of email security best practices, with less than half (43 per cent) not actively blocking fraudulent emails (57 per cent have implemented DMARC at the strictest and recommended level of reject).

Emile Abou Saleh, regional director, Middle East and Africa at Proofpoint
Emile Abou Saleh, regional director, Middle East and Africa at Proofpoint

“Countries in the GCC, especially the UAE and Saudi Arabia, are continually improving their cyber preparedness, but they must continue to improve measures against fraudulent communication attempts via the number one threat vector – email. Cybercriminals regularly use the method of domain spoofing to pose as well-known organisations and companies by sending an email from a supposedly legitimate sender address. These emails are designed to trick people into clicking on links or sharing personal details, which can then be used to steal money or identities,” says Emile Abou Saleh, senior director for Middle East, Turkey, and Africa at Proofpoint. “It can be almost impossible for an ordinary Internet user to identify a fake sender from a real one. By implementing the strictest level of DMARC – “reject” – organisations can actively block fraudulent emails from reaching their intended targets, protecting their customers, partners, and suppliers from cyber criminals looking to impersonate their brand.”

“Even as leading organisations adopt critical measures to prevent threat actors from sending malicious emails to targets, they will need to move quickly to comply with the new Google and Yahoo! email authentication requirements,” said Abou Saleh. “Companies that send to Gmail or Yahoo! must have Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) authentication methods implemented, as well as a DMARC policy in place.”


More news from Business