Back to news
Cybersecurity Alert
June 15, 2026 by EmailMeNow IT Consulting

Cybersecurity Audit of S&P 100 Companies in 2026

Independent email and domain security audits of 103 S&P 100 constituents — scores range from 86% to 38%. Weak DMARC and SPF remain common at America's largest public companies.

S&P 100Fortune 500Email SecurityDMARCPublic Companies
Cybersecurity audit scores for S&P 100 company domains in 2026

An independent cybersecurity review across 103 S&P 100 index constituents — the largest U.S. public companies by market capitalization — reveals a wide spread in email-authentication posture. Household names from Apple, Microsoft, and NVIDIA to Berkshire Hathaway, JPMorgan Chase, and Walmart were evaluated on primary corporate domains.

Using data from audit.emailmenow.com, we scored each company’s primary domain across email, website, and network security — SPF, DKIM, DMARC, MTA-STS/TLS, and security headers.

In this national audit, scores ranged from 86% to 38%29 of 103 (28%) scored 70% or above; 32 scored below 60%.

Cybersecurity Scores of S&P 100 Companies

Overall compliance scores from audit.emailmenow.com. Re-run any domain at the link to verify.

RankCompanyDomainOverall ScoreWebsite ScorePerformance Level
1Lindelinde.com86%100%Strong
1Micron Technologymicron.com86%100%Strong
3Accentureaccenture.com85%92%Strong
43M3m.com84%92%Good
5Costcocostco.com74%45%Good
5Adobeadobe.com74%45%Good
5Abbott Laboratoriesabbott.com74%92%Good
5Eatoneaton.com74%45%Good
5Marriott Internationalmarriott.com74%45%Good
5S&P Globalspglobal.com74%45%Good
11Microsoftmicrosoft.com73%45%Good
12Amgenamgen.com72%45%Good
12UPSups.com72%45%Good
14Berkshire Hathawayberkshirehathaway.com71%70%Good
14Palo Alto Networkspaloaltonetworks.com71%45%Good
14Applied Materialsappliedmaterials.com71%45%Good
17Exxon Mobilexxonmobil.com70%45%Good
17Philip Morrispmi.com70%45%Good
17Boeingboeing.com70%45%Good
17Caterpillarcat.com70%45%Good
17T-Mobile USt-mobile.com70%45%Good
17Charles Schwabschwab.com70%45%Good
17Booking Holdingsbooking.com70%45%Good
17Medtronicmedtronic.com70%45%Good
17Lockheed Martinlockheedmartin.com70%45%Good
17Automatic Data Processingadp.com70%45%Good
17Intuitive Surgicalintuitive.com70%45%Good
17Intuitintuit.com70%45%Good
17FedExfedex.com70%45%Good
30Johnson & Johnsonjnj.com68%45%Above Average
30Netflixnetflix.com68%45%Above Average
30AMDamd.com68%92%Above Average
30Pfizerpfizer.com68%45%Above Average
34JPMorgan Chasejpmorganchase.com67%45%Above Average
35Teslatesla.com66%45%Above Average
36UnitedHealth Groupunitedhealthgroup.com65%45%Above Average
36Procter & Gamblepg.com65%45%Above Average
36RTX (Raytheon)rtx.com65%45%Above Average
39Coca-Colacoca-colacompany.com64%45%Above Average
39Texas Instrumentsti.com64%45%Above Average
39IBMibm.com64%45%Above Average
39Starbucksstarbucks.com64%45%Above Average
39Qualcommqualcomm.com64%45%Above Average
39American Expressamericanexpress.com64%45%Above Average
39Mondelezmondelezinternational.com64%45%Above Average
39Boston Scientificbostonscientific.com64%45%Above Average
39Deere & Companydeere.com64%45%Above Average
39Danaherdanaher.com64%45%Above Average
39CME Groupcmegroup.com64%45%Above Average
50Broadcombroadcom.com63%45%Above Average
50Honeywellhoneywell.com63%45%Above Average
50TJX Companiestjx.com63%45%Above Average
50Colgate-Palmolivecolgatepalmolive.com63%45%Above Average
54Salesforcesalesforce.com62%45%Above Average
54Strykerstryker.com62%45%Above Average
56Comcastcomcast.com61%45%Above Average
57NVIDIAnvidia.com60%45%Above Average
57Mastercardmastercard.com60%45%Above Average
57Walmartwalmart.com60%45%Above Average
57Home Depothomedepot.com60%45%Above Average
57Merckmerck.com60%45%Above Average
57PepsiCopepsico.com60%45%Above Average
57Nikenike.com60%45%Above Average
57CVS Healthcvshealth.com60%45%Above Average
57Lowe’slowes.com60%45%Above Average
57AT&Tatt.com60%45%Above Average
57NextEra Energynexteraenergy.com60%45%Above Average
57General Motorsgm.com60%45%Above Average
57Ford Motorford.com60%45%Above Average
57Targettarget.com60%45%Above Average
57Chubbchubb.com60%45%Above Average
72Oracleoracle.com58%45%Average
73Alphabet (Google)google.com57%45%Average
74Amazonamazon.com56%45%Average
74Verizonverizon.com56%45%Average
74Bank of Americabankofamerica.com56%45%Average
77BlackRockblackrock.com55%45%Average
77ServiceNowservicenow.com55%45%Average
77Gilead Sciencesgilead.com55%45%Average
80Appleapple.com54%45%Average
80Visavisa.com54%45%Average
80AbbVieabbvie.com54%45%Average
80Ciscocisco.com54%45%Average
80Walt Disneydisney.com54%45%Average
80Union Pacificup.com54%45%Average
80Goldman Sachsgoldmansachs.com54%45%Average
80Morgan Stanleymorganstanley.com54%45%Average
80Uberuber.com54%45%Average
80General Dynamicsgd.com54%45%Average
80HCA Healthcarehcahealthcare.com54%45%Average
80Wells Fargowellsfargo.com54%45%Average
80Marsh & McLennanmarshmclennan.com54%45%Average
93Eli Lillylilly.com52%45%Average
94Vertex Pharmaceuticalsvrtx.com51%70%Average
95ConocoPhillipsconocophillips.com50%45%Average
95Citigroupciti.com50%45%Average
97Chevronchevron.com48%45%Below Average
97Progressiveprogressive.com48%45%Below Average
99Meta Platformsmeta.com44%45%Below Average
99Southern Companysoutherncompany.com44%45%Below Average
99Duke Energyduke-energy.com44%45%Below Average
102McDonald’smcdonalds.com42%45%Below Average
103Thermo Fisher Scientificthermofisher.com38%45%Weak

Website Security Scores

Scores ranged from 100% to 45%; 2 of 103 reached the 100% ideal and 95 scored below 60%.

RankCompanyDomainWebsite ScoreRating
1Lindelinde.com100%Strong
1Micron Technologymicron.com100%Strong
3Accentureaccenture.com92%Strong
33M3m.com92%Strong
3Abbott Laboratoriesabbott.com92%Strong
3AMDamd.com92%Strong
7Berkshire Hathawayberkshirehathaway.com70%Good
7Vertex Pharmaceuticalsvrtx.com70%Good
9Costcocostco.com45%Below Average
9Adobeadobe.com45%Below Average
9Eatoneaton.com45%Below Average
9Marriott Internationalmarriott.com45%Below Average
9S&P Globalspglobal.com45%Below Average
9Microsoftmicrosoft.com45%Below Average
9Amgenamgen.com45%Below Average
9UPSups.com45%Below Average
9Palo Alto Networkspaloaltonetworks.com45%Below Average
9Applied Materialsappliedmaterials.com45%Below Average
9Exxon Mobilexxonmobil.com45%Below Average
9Philip Morrispmi.com45%Below Average
9Boeingboeing.com45%Below Average
9Caterpillarcat.com45%Below Average
9T-Mobile USt-mobile.com45%Below Average
9Charles Schwabschwab.com45%Below Average
9Booking Holdingsbooking.com45%Below Average
9Medtronicmedtronic.com45%Below Average
9Lockheed Martinlockheedmartin.com45%Below Average
9Automatic Data Processingadp.com45%Below Average
9Intuitive Surgicalintuitive.com45%Below Average
9Intuitintuit.com45%Below Average
9FedExfedex.com45%Below Average
9Johnson & Johnsonjnj.com45%Below Average
9Netflixnetflix.com45%Below Average
9Pfizerpfizer.com45%Below Average
9JPMorgan Chasejpmorganchase.com45%Below Average
9Teslatesla.com45%Below Average
9UnitedHealth Groupunitedhealthgroup.com45%Below Average
9Procter & Gamblepg.com45%Below Average
9RTX (Raytheon)rtx.com45%Below Average
9Coca-Colacoca-colacompany.com45%Below Average
9Texas Instrumentsti.com45%Below Average
9IBMibm.com45%Below Average
9Starbucksstarbucks.com45%Below Average
9Qualcommqualcomm.com45%Below Average
9American Expressamericanexpress.com45%Below Average
9Mondelezmondelezinternational.com45%Below Average
9Boston Scientificbostonscientific.com45%Below Average
9Deere & Companydeere.com45%Below Average
9Danaherdanaher.com45%Below Average
9CME Groupcmegroup.com45%Below Average
9Broadcombroadcom.com45%Below Average
9Honeywellhoneywell.com45%Below Average
9TJX Companiestjx.com45%Below Average
9Colgate-Palmolivecolgatepalmolive.com45%Below Average
9Salesforcesalesforce.com45%Below Average
9Strykerstryker.com45%Below Average
9Comcastcomcast.com45%Below Average
9NVIDIAnvidia.com45%Below Average
9Mastercardmastercard.com45%Below Average
9Walmartwalmart.com45%Below Average
9Home Depothomedepot.com45%Below Average
9Merckmerck.com45%Below Average
9PepsiCopepsico.com45%Below Average
9Nikenike.com45%Below Average
9CVS Healthcvshealth.com45%Below Average
9Lowe’slowes.com45%Below Average
9AT&Tatt.com45%Below Average
9NextEra Energynexteraenergy.com45%Below Average
9General Motorsgm.com45%Below Average
9Ford Motorford.com45%Below Average
9Targettarget.com45%Below Average
9Chubbchubb.com45%Below Average
9Oracleoracle.com45%Below Average
9Alphabet (Google)google.com45%Below Average
9Amazonamazon.com45%Below Average
9Verizonverizon.com45%Below Average
9Bank of Americabankofamerica.com45%Below Average
9BlackRockblackrock.com45%Below Average
9ServiceNowservicenow.com45%Below Average
9Gilead Sciencesgilead.com45%Below Average
9Appleapple.com45%Below Average
9Visavisa.com45%Below Average
9AbbVieabbvie.com45%Below Average
9Ciscocisco.com45%Below Average
9Walt Disneydisney.com45%Below Average
9Union Pacificup.com45%Below Average
9Goldman Sachsgoldmansachs.com45%Below Average
9Morgan Stanleymorganstanley.com45%Below Average
9Uberuber.com45%Below Average
9General Dynamicsgd.com45%Below Average
9HCA Healthcarehcahealthcare.com45%Below Average
9Wells Fargowellsfargo.com45%Below Average
9Marsh & McLennanmarshmclennan.com45%Below Average
9Eli Lillylilly.com45%Below Average
9ConocoPhillipsconocophillips.com45%Below Average
9Citigroupciti.com45%Below Average
9Chevronchevron.com45%Below Average
9Progressiveprogressive.com45%Below Average
9Meta Platformsmeta.com45%Below Average
9Southern Companysoutherncompany.com45%Below Average
9Duke Energyduke-energy.com45%Below Average
9McDonald’smcdonalds.com45%Below Average
9Thermo Fisher Scientificthermofisher.com45%Below Average

What the Results Reveal

  • Linde (86%), Micron Technology (86%), Accenture (85%) lead the index on combined cybersecurity posture; Thermo Fisher Scientific (38%) trails the field.
  • Website headers lag identity controls: only 2 domains reached the 100% ideal on website security; 95 scored below 60% (HSTS, CSP, clickjacking protection).
  • Cybersecurity vendors are not uniformly top-ranked: Palo Alto Networks (71%) ranks mid-pack despite being a security-first brand — configuration gaps persist even at companies that sell firewalls and email protection.
  • Mega-cap technology names show mixed results: Micron (86%) ranks near the top while Meta (44%), Alphabet (57%), and Apple (54%) sit well below the index leaders — enormous market cap does not guarantee strong domain hygiene.
  • 32 companies scored below 60% — a range where spoofed executive communications, vendor-payment fraud, and credential phishing remain realistic threats.
  • Investors, vendors, and enterprise customers should verify DMARC enforcement, MTA-STS, and website hardening on any domain used for billing, wire instructions, or account recovery.

Attack exposure at the bottom of the index

Domains scoring near 38% combine weak identity enforcement, missing inbound transport protections, and sub-60% website hardening. Without naming specific constituents, organizations in that tier are disproportionately exposed to:

  • Business email compromise (BEC) — spoofed messages appearing to come from executives or accounts payable, used to redirect wires, ACH payments, and investor-relations transfers.
  • Brand impersonation phishing — fake billing, HR, benefits, and vendor notices that pass visual inspection because DMARC and SPF are not fully enforced.
  • Credential harvesting — login pages linked from forged @company.com mail aimed at employees, contractors, customers, and retail shareholders.
  • Invoice and procurement fraud — altered payment instructions sent to finance teams and supply-chain partners who trust the corporate domain.
  • Account-recovery abuse — password-reset and MFA prompts triggered from impersonated sender addresses.
  • Inbound mail downgrade attacks — absence of enforced MTA-STS allows opportunistic TLS stripping on messages destined for the organization.
  • Clickjacking and session risks — missing HSTS, CSP, and frame protections on the public site increase browser-side attack surface for visitors and logged-in users.
  • Supply-chain targeting — partners who whitelist the domain for deliverability become secondary victims when spoofed mail originates unchecked.
  • Header gaps at scale95 of 103 domains scored below 60% on website security in this audit. Clickjacking and session risks are not confined to the bottom tier; many mid-pack names share the same 45% website floor.

These are not theoretical edge cases. State breach portals and FBI IC3 reporting consistently tie weak email authentication and header gaps to measurable financial loss at large enterprises.

Real attacks, told as stories

The stories below are made up, but they are based on real crimes that police and cybersecurity teams see every year. No S&P 100 company is named. Each story shows how weak domain settings can hurt real people — employees, vendors, investors, and job seekers who interact with America’s largest public companies.


Story 1: Maria and the payment that was not real

Illustration: Fortune 100 supplier reviewing a spoofed procurement payment email

Maria works in accounts payable at Heartland Components, a parts supplier on the approved vendor list of a Fortune 100 manufacturer.

On a Tuesday morning, she gets an email that looks normal:

From: accounts-payable@bigbrand.com
Subject: New bank info for March invoices

The logo looks right. The tone sounds like past emails from procurement. A PDF lists a new routing number.

Maria does not know that bigbrand.com has weak email security. A stranger sent the message from their own server and pretended to be the big brand. That is called brand impersonation.

She approves a $284,000 wire. The money goes to the attacker, not the real company.

The next day, the same fake sender emails two more suppliers Maria knows from industry conferences. One ignores it. One also changes bank details. That is supply-chain targeting — hurting partners by faking the main company’s name.

Attack vectors in this story: brand impersonation · invoice and procurement fraud · supply-chain targeting · business email compromise (BEC)

Simple fix: Strict DMARC (p=reject), SPF (-all), and a rule that every bank change needs a phone call to a known contact — not just email.


Story 2: Jordan clicks “reset password”

Illustration: industrial manager facing a fake corporate password reset

Jordan is a regional operations manager at a Dow-component industrial. On Wednesday at 2 p.m., his phone buzzes:

From: it-security@bigbrand.com
Subject: Reset your password in 2 hours or lose access

Jordan is busy. The email looks like IT mail he has seen before. He clicks the link.

The page looks like his company login. It is not. It is a copy on a similar-looking website (bigbrand-secure.com). He types his username and password. The attacker saves them.

This is account-recovery abuse and credential harvesting. The criminal used a fake “reset your account” message because people trust mail from @company.com.

That night, the attacker signs into Jordan’s mailbox and reads old threads about a possible acquisition. On Thursday, they email the CFO’s assistant:

From: cfo@bigbrand.com
Subject: Urgent — confidential wire for escrow

That is BEC — business email compromise. The assistant almost approves it. A bookkeeper asks, “Did you talk to the CFO on the phone?” The wire stops. Jordan still has to change every password he reused.

Attack vectors in this story: account-recovery abuse · credential harvesting · business email compromise (BEC)

Simple fix: DMARC p=reject, train staff that IT will never rush a reset by email alone, and require a callback before any wire.


Story 3: The contract email no one knew could be copied

Illustration: M&A agreement email exposed on an unencrypted mail path

Priya is outside counsel closing an acquisition for a public S&P 100 company. She emails a draft purchase agreement to her client’s inbox at @bigbrand.com. The send button works. Her screen says Delivered.

What Priya cannot see: on part of the internet path, the mail server connection was downgraded from locked (TLS) to unlocked. Without MTA-STS set to mode=enforce, her client’s mail system still accepts the message. An attacker on that path can copy attachment text in plain form.

This is an inbound mail downgrade attack. Most people worry about fake outgoing email. MTA-STS protects incoming mail — mail sent to your company.

Priya’s IT contact sees green checkmarks in their dashboard. Nothing looks wrong. Weeks later, a rival bidder seems to know price terms early. The leak might have started on the wire, not in someone’s inbox.

Attack vector in this story: inbound mail downgrade (no MTA-STS)

Simple fix: Publish MTA-STS in enforce mode and turn on TLS-RPT reports so IT gets alerted when encryption fails.


Story 4: Alex applies for a job online

Illustration: analyst applicant trapped on a fake Fortune 100 careers page

Alex is a college senior. He is already logged into his school portal in one browser tab. In another tab, he opens a job post: “Big Brand — analyst role, fast track.

The site asks him to “confirm your profile” on what looks like the real company careers page. He clicks.

He does not know the page is a trap. The real login screen is hidden inside an invisible frame on a scam site. That trick is called clickjacking. The company’s website scored 45% on security headers — the same floor shared by 95 other S&P 100 domains in this audit, including several trillion-dollar brands missing strong HSTS, CSP, and frame blocking.

Alex thinks he is on the real site. He is really interacting with a layer the attacker controls. If he had been logged into the company’s vendor portal in another tab, the same trick could hijack that session.

No phishing email was needed. The attack lived on the website, not in the inbox.

Attack vectors in this story: clickjacking · session risks (missing HSTS/CSP)

Simple fix: Add HSTS, Content-Security-Policy, and frame-ancestors / X-Frame-Options so login pages cannot be embedded on random sites.


How the stories connect

All four stories can hit one company with a weak audit score (near 38%):

StoryWho got hurtMain gap
Maria (supplier)Outside partnersFake mail from your domain
Jordan (employee)Inside staffFake password-reset mail
Priya (lawyer)Confidential data in transitIncoming mail not forced to stay encrypted
Alex (job seeker)Website visitorsLogin page can be framed by attackers

Together, that is not one bug — it is a pattern. Fixing it means better DNS (DMARC, MTA-STS), better website headers, and better office rules (call back before you wire).

Website stack highlights

A July 2026 passive website-stack check of S&P 100 domains found two public CMS signals worth calling out (most large brands hide versions behind CDNs/WAFs):

CompanyDomainWhat we found
Merckmerck.comWordPress core behind current — running 6.8.5 while wordpress.org lists 7.0.1
Pfizerpfizer.comDrupal major version behind — public site reports Drupal 10; current major release is Drupal 11

These are public hygiene signals, not proof of a breach. They sit alongside the email-auth gaps already scored above — another reason corporate domains remain attractive phishing and supply-chain targets.

Why This Matters

S&P 100 companies process payroll, benefits, investor communications, and supply-chain payments at national scale. A spoofable corporate domain is a direct path to business email compromise (BEC), fraudulent wire transfers, and credential phishing aimed at employees and customers.

Check any company’s posture at audit.emailmenow.com.

See also — national audits

Recommendations

  • Enforce DMARC (p=reject), strict SPF (-all), and DKIM on all outbound mail domains.
  • Publish MTA-STS in enforce mode and harden website security headers on primary and subsidiary domains.
  • Require verified call-back for wire and ACH changes initiated by email.
  • Benchmark subsidiary and acquisition domains separately — many index members operate multiple customer-facing brands.

Methodology: Primary corporate domains for S&P 100 constituents audited 2026-06-14 via audit.emailmenow.com.