J. Trent Adams, Sr. Internet Security Advisor
PayPal doesn’t shy away from big ideas. Having been built on a 
Just a few years ago many customers were bombarded with fraudulent email intent on stealing information to break into their accounts. Now, there’s been a sea change in phishing attack patterns as we’re helping mailbox providers shut down key attack vectors. As a result, mailbox providers are blocking more than 15 million fraudulent email messages attacking our customers each month. Each message that was blocked from being received by a customer is one less potential victim. To understand how we’ve been able to make this impact on phishing, let’s rewind the clock six years.
Back in 2009 PayPal had another big idea. It started when looking for a solution to a particularly vexing problem: how to combat fraudulent email targeting our customers. Once we’d uncovered a possible solution we realized we couldn’t realize it’s full potential on our own. So, we formed a consortium of collaborators, including industry heavyweights like Facebook, Google, Microsoft, and Yahoo, to work together on the solution. Then three years ago we released the Domain-based Authentication, Reporting & Conformance technical specification. Known as DMARC, the solution locks the door against a specific type of fraudulent email known as domain spoofing.
For more background about our work on DMARC, check out some of our previous posts on the topic:
On Wednesday, February 18, 2015, the original consortium published updated information about the utility and accelerating adoption of DMARC. Given the proven value it provides, it’s not surprising that major mailbox providers such as Google, Microsoft, and Yahoo have seen significant increases in senders adopting DMARC. What started as a handful of highly phished brands protecting their email with DMARC has grown 50% in the past year alone. And if you check the Alexa Top 10 most visited domains, 80% of them publish DMARC records.
Joining the likes of Facebook, LinkedIn, and Twitter, 7 out of the top 10 major US financial institutions also protect their customers with DMARC. Internationally, the HM Revenue & Customs department in the UK and the German Office for Information Security (BSI) have also requested that their respective government agencies support DMARC.
And now Kaspersky Lab published their “Financial Cybersecurity 2014” report that includes further evidence that DMARC is working to protect our customers. They report that they detected a significant reduction in the number of phishing email attacks against PayPal last quarter. Specifically, they report that when comparing attacks against financial services companies, the percentage of attacks against PayPal “decreased by 14.09 percentage points: from 44.12% in 2013 to 30.03% in 2014.” Further, they report that the significant reduction moves PayPal down in their ranking, with Visa now taking the top position as the most targeted financial services company. They point to DMARC as the likely reason for the decrease.
So, after dedicating six years to the problem we set out to address, our commitment to combat fraudulent email is making a real difference. Something that started as another big idea became DMARC, and now we can see that it’s clearly protecting our customers from spoofed domain attacks. And although this is only one of many types of attacks, it is satisfying to tick the checkbox as we shift our focus to our next big idea as we continue to aggressively protect our customers against all manner of attacks.