UK pubs and restaurants are exposing their customers to the risk of phishing attacks as consumers head back to the bar post lockdown.

Proofpoint analysed ‘’ and ‘.com’ domains of 50 of the top 88 dining brands in the country, to check whether they have implemented the strongest level of DMARC (Domain-based Message Authentication, Reporting & Conformance) protection.

It found that 98% had not and 70% had no published DMARC record at all, leaving customers wide open to phishing.

Just 2% of pub and dining brands had the strongest policy (”p=reject”) in place. DMARC can help limit the impact of spam and phishing, but malicious emails will only be prevented from reaching customers’ inboxes if p=reject is set.

The weakest setting is p=none, which will allow brands to monitor activity but means phishing emails are still sent to users. The next level up, p= quarantine, will mean suspicious messages are still sent to the receivers’ junk folder.

Pub and restaurant goers are particularly exposed at the moment as establishments are asking users to book online before arrival. This means that customers can expect communication from these brands, something cyber-criminals could leverage to their advantage.

We know that cyber-criminals don’t hesitate to prey on society’s anxiety around COVID-19. In times of fear and uncertainty, individuals are much more susceptible to these kinds of attacks, particularly if a fraudulent email looks like it has come from a genuine domain.

Remember, don’t click on anything suspicious, even if it appears to come from an official source. Instead, take steps to contact establishments if you are unsure.