State health agencies lag in hardening email security, researchers say

Email security company Proofpoint said 44% of state health agencies don't have a published configuration of DMARC, a protocol that weeds out malicious messages.
emails going in laptop
(Getty Images)

Research published Thursday by email security company Proofpoint found that nearly half of states’ health departments have not said if they’re using a critical protocol designed to prevent criminal activity like spoofing and phishing, a disturbing finding at a time when the internet is rife with scams attempting to take advantage of the COVID-19 pandemic.

Proofpoint said that 44% of state health departments do not have a published record of using Domain-based Message Authentication, Reporting & Conformance, or DMARC, on their email servers, which could make it easier for actors to impersonate those agencies and commit email fraud on unwitting victims. DMARC creates public records that recipients’ email accounts can check to ensure that the sender actually belongs to the organization associated with its domain, such as

But without DMARC in place, health departments, which are some of the most crucial sources of information for the public right now, could “unknowingly expose” themselves to criminal activity, the research states.

“State governments and health departments are in constant contact with constituents as they share updates around the progression of the virus and statewide shelter-in-place orders and other measures,” the Proofpoint report reads. “At the same time, cybercriminals are carefully following each new COVID-19 development and launching attacks that are social engineering at scale based on fear. They know people are looking for information around this out of concern for their safety and are more likely to click on potentially malicious links or download attachments.”


The research did not specify which states lack a published DMARC protocol. Proofpoint also said that since the beginning of the coronavirus pandemic, it has identified more than 300 COVID-19-themed scams, which have produced more than a half-million fraudulent messages full of malicious links and attachments.

“Cybercriminals regularly use domain spoofing to pose as trusted entities and take advantage of weaknesses in email protocols to send a message under a supposedly legitimate sender address,” the report reads. “This makes it difficult for an ordinary Internet user to identify a fake sender.”

Both the federal government and states have said they’re stepping up enforcement of coronavirus-related online scams. The FBI said last month it is working with domain registries to weed out fraudulent addresses. Virginia law enforcement officials in March announced the creation of a task force focused on cybercriminal activity preying on COVID-19 fears.

Additionally, Proofpoint said it found that 92% of all state government agencies — and 88% of state health departments — are not using the strictest DMARC settings to protect their email systems. The vast majority use the setting known as “quarantine,” in which suspicious messages are exiled to a special mailbox for review by an administrator. A higher setting known as “reject” permanently deletes all malicious messages automatically.

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts