Almost all of Australia\u2019s leading businesses and government agencies have their email fraud defences wide open, according to new research.\nCyber security practice InfoTrust surveyed 7,393 Australian companies, finding that only 40 (0.5 per cent of the total number) have an effective DMARC (domain-based message authentication, reporting, and conformance) record.\n\u201cThis means that cybercriminals can easily impersonate the sending email domains of 99.5 per cent of Australia\u2019s leading brands and government agencies. This is despite last year\u2019s Australian Signals Directorate (ASD) recommendation that organisations have their DMARC record set at P=Reject,\u201d said InfoTrust CEO, Dane Meah.\nDMARC is an email authentication, policy, and reporting protocol. Along with SPF and DKIM, the DMARC governance framework has been available for many years to prevent email fraud by allowing legitimate brands to tell ISPs and email applications whether or not a sender URL is legitimate.\nMeah claimed that Australia\u2019s largest companies, which are expected to be on the ball, \u201care no better protected than the rest".\n\u201cWe analysed the ASX 50 and found that only one, Qantas, has its DMARC record set at P=Reject. We know that the Australian government takes email fraud very seriously. The ASD and other agencies are working to address the issue with the ASD recommended DMARC framework," Meah said.\n\u201cCompared with the international experience, Australia is not looking very secure from email fraud. The lack of local compliance here in Australia is very disturbing,\u201d he added.\n\u201cAll Australian organisations that have not heeded to the ASD\u2019s recommendation are exposing themselves \u2013 and their customers and partners \u2013 to unacceptable risk.\u201d\nThe research asserts that some very well-known brands across multiple sectors \u2013 the likes of AMP, ANZ, ASX Limited, BHP, Commonwealth Bank, Fortescue Metals Telstra, Westpac, Woolworths, and a host of others \u2013 are not DMARC compliant.\nUnlike traditional email-borne virus attacks, which can be effectively prevented with traditional inbound security controls, email fraud attacks rely on \u2018sleight of hand\u2019 and human frailty. Cyber criminals impersonate a recognisable brand or person and then trick users into either giving over their credit card and password details, or clicking on a link and allowing malware into their systems and corporate networks, said Meah.\nHe said Australia is the number one phished country in the Asia-Pacific region on a per capital basis, and ranks second behind the US in global terms, and companies are relying on traditional email security gateways to block inbound threats.\n\u201cBut any business with a recognisable brand should be proactive to prevent misuse of their brand of domains.\u201d\nHe said it\u2019s only a matter of time before another major email fraud borne cyber security incident has a dramatic impact on the Australian economy.