PayPal Amps Up Cybersecurity Plans

Cybersecurity is the buzzword flooding the payments and commerce space. No matter which company, the narrative is all about security breaches and how to be proactive in combatting attacks — this includes protecting email. And last week, PayPal shared its take on how the company is protecting its customers from fraudulent emails.

In a PayPal blog post last week (Feb. 18), J. Trent Adams, the senior Internet Security Advisor at PayPal, shared what the company has been doing for the past six years and how it plans to continue its focus on protecting its customers in collaboration with major players in the industry. Referencing the Domain-based Message Authentication, Reporting, & Conformance (DMARC) specification that’s being adopted across the industry to protect consumers’ email accounts from fraudulent attacks, Adams wrote about the security standard that PayPal was at the forefront of.

“After dedicating six years to the problem we set out to address, our commitment to combat fraudulent email is making a real difference,” Adams wrote. “Something that started as another big idea became DMARC, and now we can see that it’s clearly protecting our customers from spoofed domain attacks. And although this is only one of many types of attacks, it is satisfying to tick the checkbox as we shift our focus to our next big idea as we continue to aggressively protect our customers against all manner of attacks.”

And last week, Adams highlighted the value of the DMARC security standard as it has been increasingly adopted across the industry. This includes mailbox providers like Google, Microsoft, and Yahoo. More recent additions include: Facebook, LinkedIn, and Twitter, and seven of the Top 10 major U.S financial institutions, according to Adams. Internationally, the security standard has gained traction among various government agencies.

“One of the reasons that DMARC has been successful is that end users don’t need to do anything,” wrote Adams, who is also the chairman of DMARC.org. “When email is fully authenticated and verified, our customers are simply protected from spoofed email being delivered to their inboxes.”

In reference to Kaspersky Lab’s recent report, “Financial cyberthreats in 2014,” Adams said DMARC’s reported success confirms PayPay’s cybersecurity strategy.

“They report that they detected a significant reduction in the number of phishing email attacks against PayPal last quarter. Specifically, they report that when comparing attacks against financial services companies, the percentage of attacks against PayPal “decreased by 14.09 percentage points: from 44.12 percent in 2013 to 30.03 percent in 2014. Further, they report that the significant reduction moves PayPal down in their ranking, with Visa now taking the top position as the most targeted financial services company. They point to DMARC as the likely reason for the decrease.”

And here’s what Google has to say on the matter:

“We’re rapidly moving toward a world where all email is authenticated. Large inbox providers, like Google, track the reputation of all sending domains, and factor that in when deciding whether and how to deliver messages,” Google Product Manager John Rae-Grant said in a release. “Implementing a DMARC policy ensures that a sender’s reputation doesn’t drop due to the actions of spammers. With Gmail, we see a dramatic drop-off in spoofed mail whenever a domain implements a reject or quarantine DMARC policy, and a corresponding stability in the domain’s reputation. If your domain doesn’t protect itself with DMARC, you will be increasingly likely to see your messages sent directly to a spam folder or even rejected.”