Startups face the same phishing risks as big corporations

This week, we reported on TechCrunch how thousands of remote employees with health and workplace benefits through human resources giant TriNet received emails that looked like a near-perfect phishing attempt.

One recipient was so skeptical, they shared the email with TechCrunch so we could verify its authenticity. The message checked every suspicious box. In fact, when, we asked two independent security researchers to offer their assessments, each one thought it was a phishing email devised to steal usernames and passwords.

The fact that there was confusion to begin with shows that even gigantic companies like TriNet ā€” a $3.7 billion corporation ā€” are not doing enough to prevent phishing attacks. Had they proactively employed basic email security techniques, it would have been a lot easier to detect that the email was not in fact a phish, but a genuine company email.

But this problem isn’t unique to TriNet; it’s not even unique to big companies.

Last year, security firm Agari found only 14% of all Fortune 500 companies were using DMARC, a domain security feature that prevents email spoofing and actively enforces it. New data supplied by Agari to TechCrunch shows that figure has risen only one percentage point in the last year, bringing it to a meager 15%.

Phishing and impersonation are fundamentally human problems. The aim is to try to trick unsuspecting victims into turning over their usernames, email addresses and passwords to hackers who then log in and steal data or money. In some cases, scammers use an email impersonation scam to trick employees into thinking someone senior in the company needs certain sensitive files like banking information or employee tax documents.