A new report is revealing that most federal agencies aren’t following security protocols that could prevent phishing attacks. The report by the Online Trust Alliance, a group of security companies working to fight Internet fraud, found that 56% of the 25 agencies it studied did not authenticate emails or domain names.

        “Phishers will send mail that appears to come from the most recognized domains, such as IRS.gov, for example,” said Craig Spiezle, chairman and founder of the Online Trust Alliance. “What the owner of those domains can do is publish a declaration that tells Internet service providers, receiving networks and e-mail programs, ‘No e-mail will come from this domain,’ or ‘Only mail from these specific IP addresses is authorized to send mail from this domain.’ But most agencies are not doing that.”

Fourteen federal agencies, including the Department of Homeland Security, the Treasury, the FBI and the White House, earned failing grades in security, while the Bureau of Veterans Affairs, the Census Bureau and the IRS were among the agencies that passed. The IRS is one of the most popular targets of phishers, who send thousands of fake emails claiming the user is owed a substantial tax refund or stimulus payment.

The report recommends that government and industry should work together to create a universal standard for authenticating emails. With so many different standards out there right now, it makes interoperability impossible.

It’s particularly disturbing that the Department of Homeland Security is one of the agencies that isn’t properly securing its emails and domain names. Hopefully this report will prompt them to fix things so that the DHS is actually… secure!