CSC: Many Global 2000 companies susceptible to phishing

A new report has found that domain security is an underutilised security component to curb phishing and related ransomware attacks

The majority of organisations on the Forbes Global 2000 list are vulnerable to attacks on their internet domains due to poor security, according to a study released by CSC.

CSC, a world leader in business, legal, tax, and domain security, has published its annual Domain Security Report: Forbes Global 2000 Companies, which found that despite the shift to modernise business environments and operations, companies’ web domains remain dangerously under-protected.


What did the study find? 

CSC’s research also shows that most Global 2000 companies continue to lag in the adoption of domain security measures. Most notably, 81% of companies are not using registry locks. Other concerning findings include:

  • 70% of homoglyph (fuzzy match) domains, a tactic commonly used in phishing and brand abuse, are owned by third parties
  • 57% of the Global 2000 are relying on off-the-shelf consumer-grade registrars who offer limited domain security mechanisms to protect against domain and DNS hijacking

It was revealed that half of the companies surveyed do not use Domain-based Message Authentication, Reporting, and Conformance (DMARC), a protocol used to verify that emails came from a legitimate address. IT software and services companies were the highest adopters, at 74%, followed closely by health care equipment and services, semiconductor manufacturers, and media companies. Construction companies (28%) were the least likely to use the tool.

CSC also found low usage of several other domain protection methods. Only 5% of companies used DNSSEC, a protocol that prevents DNS cache poisoning attacks. The same number used certificate authority authorisation (CAA) records, which designate a separate certificate authority for a company's domains. This stops an attacker from accessing a company's digital certificates if they get control of a domain.

“Basic domain security measures continue to get overlooked because they’re still not considered an essential component to a company’s broader phishing, business email compromise, or ransomware mitigation approach,” said Mark Calandra, president of CSC Digital Brand Services. “A focus on securing legitimate domains while monitoring for malicious domains in parallel needs to be a bigger priority for companies to stay protected and thwart cyber risk. Otherwise, companies are exposing themselves to significant threats to their cyber security posture, data protection, intellectual property, supply chains, consumer safety, revenue, and reputation.”


Featured Articles

MWC Barcelona 2024: The Future is Connectivity

Discover the latest in global technology and connectivity at MWC Barcelona 2024, where industry giants converge to discuss 5G, AI and more industry trends

AI-Based Phishing Scams Are On The Rise This Valentine’s Day

Research from Egress Threat Intelligence, Avast, Cequence Security & KnowBe4 outlines how AI is being used in dating app phishing scams on Valentine’s Day

Speaker Lineup Announced for Tech Show London 2024

See Below for a Newly Announced Speaker List for Tech Show London 2024, as it Promises to Showcase Technology Trends Will Impact Various Sectors

Darktrace predicts AI deepfakes and cloud vulnerabilities

Cloud Security

Secure 2024: AI’s impact on cybersecurity with Integrity360

Technology & AI

IT and OT security with Ilan Barda, CEO of Radiflow

Cyber Security