of 15

State of Email Security, 2015

Published on May 2016 | Categories: Types, Presentations | Downloads: 7 | Comments: 0
108 views

Agari's Trust Index, detailing the state of email security among top-level private companies.

Comments

Content

State of Email Security, 2015
Agari TrustIndex

What’s in this report?
04 2014 Key findings
05 2014: The year in numbers
10 TrustScores for industries and specific companies
13 Agari’s methodology
15 How DMARC works

Agari TrustIndex

2

Executive Summary
2014 was a big year for threats in the email forgery world.
The major banks of Europe and the United States saw critical levels of phishing and spam attacks against
their customers from January through September 2014 as hackers turned their attention first to banks in
the U.S. and then to banks in Europe.
In Q1 and Q2, malicious email attacks against the largest U.S. banks spiked at levels higher than in any
other industry, but just as these attacks tapered off in Q3, email spoofing attacks against the customers of
Europe’s largest banks increased nearly fivefold. These spikes indicate the unpredictability and brute force
of email forgers as they decide which industries to target and when.
Furthermore, the payments industry (including credit card and digital wallet companies) saw a 23-fold
increase in malicious e-mail attacks against its customers between the second and fourth quarters of last
year. The number of forged emails purporting to be from legitimate travel-industry websites more than
doubled between Q2 and Q3.
Driven by the increasingly active threats landscape, progress on the security side has been steady but slow.
The use of the three major anti-forgery standards (SPF, DKIM and DMARC) crept upward. At the beginning
of 2014, seven companies earned perfect TrustScores, including 100 percent implementation of DMARC
best practices. By the end of the year, 13 had achieved a perfect mark. It’s good news for those companies
(and their customers), but bad news the adoption of these standards is not more wide spread.
These and other findings come from the Agari TrustIndex, an exclusive research study based on analysis of
more than 6.5 billion emails each day throughout 2014.

Agari TrustIndex

3

2014 Key Findings
Toxic emails from your health
insurance, counterfeits from
your bank

Hackers play hide and seek

The companies you trust may
not deserve it

Overall, an email that appears to come from your
health insurance company is 17 times more likely
to be fraudulent than an email purportedly from
a social media company like Facebook.

Email phishers and spammers tend to attack
industries in swarms, moving from one sector to
the next with little predictability. Hackers know
the value of surprise.

Some well-known brands have, so far, not
implemented basic measures to prevent email
spoofing. As DMARC usage continues to rise in
2015, companies that fail to keep up with industry
standards will become more appealing targets.

FPO

Nearly 50% of major health
insurance companies surveyed

scored zero
in our trust rankings.

Agari TrustIndex

Banks, payment companies,
Airlines, etailers;

nobody is safe
from attacks

Customers of more than 2/3
of all companies surveyed are at

high risk
of malicious email attacks.

4

2014: The year in numbers
What is the biggest threat to your inbox?
AVERAGE TRUSTSCORE PER SECTOR, 2014
Health Care
An email “from” your
health insurance company
is 4x more likely to be
fraudulent than an email
purportedly from a social
media company.

17

33

An email “from” a
large American bank
is 2x more likely to be
fraudulent than an email
purportedly from a social
media company.

36

Mega Banks
(Europe)

Though most of the largest
email providers have enabled
DMARC, only 13 of the 147
companies surveyed had
perfect TrustScores in 2014.
Most industries have done little
to protect their customers from
malicious emailers.
Agari TrustIndex

Mega Bank

Large Banks

37

Logistics

42

Airlines
Airlines and large
American banks had the
worst levels of DMARC
implementation by the
end of 2014, meaning it
is relatively risky to open
an email that comes from
most airlines or most
major U.S. banks.

6.5 billion emails
analyzed daily TK

An email “from” an
American megabank
is 1.5x more likely to
fraudulent than an email
purportedly from a social
media company.

46
Travel

Companies with
51+ have some
level of DMARC

Payments

47

50

Retail

Social

63

67

Etailer

TrustScore
The TrustScore measures a company’s implementation
of three important email security protocols: SPF, DKIM
and DMARC. Companies scoring greater than 50 have
at least some level of DMARC implementation.

5

KEY FINDING #1

Toxic emails from your health insurance
company, counterfeits from your bank
The companies with your most personal data are behind
in protecting against forged email messages
Health Insurance Companies
Despite a spate of worrisome health care cybersecurity news last year, the
healthcare industry had the worst average TrustScore of every industry
surveyed, with six of the 14 major health insurance companies surveyed
scoring zero.

Nearly 50% of major health
insurance companies surveyed
scored zero in our trust rankings.

Banks
Email attackers consistently aimed their sights at banks and other financial
institutions more than at any other type of company in 2014, yet every
category of bank surveyed had a low average TrustScore.
European Megabanks, whose customers are some of malicious e-mailers’ most
common targets, fared especially poorly, with the second-lowest TrustScore
(33) of the 11 industries surveyed for this report.
Large American banks (smaller than megabanks but nevertheless large
financial houses serving millions of customers malicious e-mailers TK) had the
third-lowest TrustScore (36), and American megabanks scored only 46, out of
a possible 100 points.

Agari TrustIndex

The Exceptions
One health insurance company was an exception. Aetna scored
a 100 TrustScore in Q3 and stayed there in Q4, remarkable for a
company in any sector.
Two banks were exceptions: Chase and Capital One, two American
megabanks. They both earned a 100 TrustScore through the entire
year.

6

KEY FINDING #2

Hackers play hide and seek
Email phishers and spammers attack industries in swarms,
moving from one sector to the next with little predictability.
Companies don’t know when attacks will happen, but when they come,
they may well be tsunamis. In 2014, every industry Agari surveyed, with the
exception of social media, had at least one quarter when spammers and
phishers spoofed their domains more than average.
Customers of American megabanks faced an onslaught of e-mail attacks in
Q1, forcing that industry’s average ThreatScore up to 17.32, the highest of all
sectors that quarter. Again in Q2, they had the highest average ThreatScore
(15.27). But then in Q3 the number of email attacks against their customers
suddenly dropped, and the industry’s average ThreatScore fell to only 0.66,
demonstrating cyberattackers’ unpredictability.
A similar pattern held for the payments industry, which consistently had a
middling average ThreatScore until Q2 and Q3, when the number jumped into
double digits, to 23.41 and 39.46, respectively, making payments customers
almost 13x more likely to be attacked by malicious emailers in Q4 than the
second-most attacked industry.
European megabanks, whose ThreatScore was ranked #1 or #2 through the
entire year, rose from 2.12 in Q1 to 30.49 in Q3 and then back down in Q4 to
2.95, demonstrating again the unpredictability of the cyberattacks.

Agari TrustIndex

Q1 EMAIL ATTACKS BY INDUSTRY
American megabanks

17.32

European megabanks

2.12

Q3 EMAIL ATTACKS BY INDUSTRY
American megabanks

0.66

European megabanks

30.49

!

ThreatScore
The ThreatScore measures the amount of spam and
other malicious email sent to consumers fraudulently
using a company’s domain. Agari analyzes millions of
messages per company per quarter.

7

KEY FINDING #3

The companies you trust
may not deserve it
Companies slow to implement DMARC are likely
to be targeted more as they fall behind
A high TrustScore means a company takes email security seriously and that it’s
generally safe to open a message that seems to come from them.
The TrustScore is based on a company’s progress implementing the three three
major email security protocols: SPF, DKIM and DMARC. SPF and DKIM have
been around for a while and have been largely adopted by most companies in all
industries. DMARC is the newest protocol and covers a new dimension in email
security by protecting a domain from being spoofed and taken over by hackers.
In most sectors, there was slow but overall steady improvement in DMARC
implementation. In addition, the adoption of DMARC by major email service
providers indicates that the protocol is becoming their standard for protecting
users from spam and phishing attacks.
In 2015, companies that are slow to implement DMARC will become easy
targets to attackers as they will try to exploit this weakness.

Customers of more
than 2/3 of all
companies surveyed
are at high risk of
malicious email
attacks.

The average TrustScore
of all sectors combined
increased from 40.96 to
45.29 in 2014.
• 50 of the 147 companies analyzed had
a TrustScore of 51 or higher by Q4 2014
showing that only 30% of companies have
average email security in place
• 34 companies had a TrustScore of 75 or
higher by Q4 showing that only 25% of
companies have strong email secuirty
• 13 companies had a perfect 100 TrustScore
showing that less than 10% of companies
have implemented strong email security

Companies with 100 TrustScores in Q4 2014

Megabanks: Chase, Capital One Etailer: Newegg, Netflix Social: Facebook, Twitter, Instagram,
Pinterest Misc: Docusign Logistics: UPS, Fedex Healthcare: Aetna Payments: Western Union
Agari TrustIndex

8

DMARC is the new standard
As of TKTK, 85% of U.S. email inboxes
are DMARC enabled, thanks to DMARC
implementation by companies like Google,
Yahoo! and Microsoft.
Worldwide, 70 percent of email inboxes — that’s 2.5 billion inboxes — allow
senders to use DMARC verification. DMARC guarantees that a user’s inbox will
reject all emails it detects from spoofers, rather than just sending the message
to spam or letting it through.

At the end of the year, the
top three sectors for DMARC
implementation were:
• Social
• Logistics
• U.S. Megabanks

Unsurprisingly, Internet giants in the social and etailer sectors seem to have
an especially strong grasp of e-mail’s inherent vulnerability, and they’ve taken
more steps than others to prevent e-mail attacks against their customers.

The lowest scoring sectors
were:

In social, Facebook and Twitter have especially high DMARC scores. In
retail, Netflix, Newegg and Amazon score high. Also, a few leading logistics
companies (UPS, FedEx and DHL) have made DMARC integral to their
customer-facing e-mail systems, boosting their overall TrustScore higher
than average.

• Airlines (TK - out of what, MAX)
• Health Care, Traditional Retail (tie)
• Travel, Large U.S. Banks,
European Megabanks (tie)

The U.S. megabank industry was the only financial sector to rank among the
top three industries for DMARC implementation in 2014, reaching an average
DMARC rating score of 20 (out of what max TK) in Q4.

Agari TrustIndex

9

Industry TrustScore Rankings
Social
Security
Rockstars

Under
Construction

Etailers
Easy
Targets

Security
Rockstars

Under
Construction

Easy
Targets

Facebook

Classmates

deviantArt

Amazon

Ancestry.com

Fanatics

Google+

Flickr

Last.fm

Groupon

Etsy

Gilt Groupe
Market America

LinkedIn

Flixster

Myspace

Netflix

Overstock

Twitter

Instagram

Pinterest

Newegg.com

Shutterfly

Peapod

VistaPrint

Rakuten.com

StumbleUpon
Tagged

29%

29%

43%

Wayfair

27%

Payments

33%

40%

Retail

Security
Rockstars

Under
Construction

Easy
Targets

American

GreenDot

Braintree

Security
Rockstars
Apple

Under
Construction
Target

Easy
Targets
Best Buy

Express

Discover

CDW

PayPal

Dwolla

Costco

Visa

MasterCard

Dell

Western Union

Moneygram

GAP

Square

Grainger

Stripe

Macys

Wealthfront

Office Depot

WePay

Officemax

Zuora

Sears

87%

Staples

Sony

7%

7%

Walmart

7%

Agari TrustIndex

7%

87%

10

Industry TrustScore Rankings
Mega Banks
Security
Rockstars

Under
Construction

Travel
Easy
Targets

Capital One
JPMorgan Chase
US Bank

Bank of
America
SunTrust
Wells Fargo

Ally Bank
BB&T Bank
BNY Mellon
CitiBank
HSBC Bank
PNC Bank
State Street
TD Bank

21%

21%

57%

Security
Rockstars

Under
Construction

Kayak
Priceline
Travelzoo

BookingBuddy
CheapOair
Expedia
Hilton
Hotels.com
Hotwire
Marriott
Orbitz
Travelocity
TripAdvisor

7%

21%

71%

Airlines
Easy
Targets

FedEx
UPS

US Postal Service

DHL
OnTrac
Pods
TNT Express
Uhaul

25%

13%

63%

Agari TrustIndex

Easy
Targets

Booking.com

Logistics
Security
Rockstars

Under
Construction

Security
Rockstars

Under
Construction

Easy
Targets

Delta Airlines

None

AirTran
American
Airlines
Jet Blue
SkyWest
United Airlines
US Airways
Virgin America

13%

0%

88%

11

Industry TrustScore Rankings
Large Banks
Security
Rockstars

Under
Construction

Mega Banks (Europe)
Easy
Targets

Security
Rockstars

Under
Construction

Easy
Targets

None

None

Fifth Third Bank
Bank of the West
Citizens Bank
Comerica
Northern Trust
BMO Harris
Bank
Key Bank
Union Bank

Booking.com

Kayak
Priceline
Travelzoo

Barclays
Deutsche Bank
Lloyds
Royal Bank of
Scotland
Santander
Svenska Bank
Tesco
Virgin Money

0%

0%

100%

0%

0%

100%

Health Care
Security
Rockstars

Under
Construction

Easy
Targets

None

Aetna

Anthem Blue Cross
Centura Health
Cigna
CHS
HCA Healthcare
HCSC
Health South
Humana
Kaiser Permanente
Kindred Healthcare
United Healthcare

0%

7%

93%

Agari TrustIndex

12

About the email TrustIndex
To derive the
TrustScore:
Agari looks at the highest volume email domains used by the
companies in this report and then analyzes their use of email
authentication standards, including SPF, DKIM, and DMARC.
Only companies that implement all three standards with some
level of success can achieve scores in the highest tiers.

!

To derive the
ThreatScore:

Agari calculates the volume of spam and other malicious
email fraudulently sent using a company’s domain names
and compares this data with that of other companies in the
dataset. The data analyzed comes from millions of email
messages.

Of the three security protocols, most weight is given to
DMARC, the newest and securest of the protocols. Companies
with DMARC policies that prohibit all potentially fraudulent
messages from reaching even a user’s spam folder and
companies with DMARC procedures that send thorough spam
and phishing reports to their email administrators score the
highest.

Agari TrustIndex

13

The TrustScore measures these
security protocols
SPF

DMARC

SPF is an email authentication standard
that lets companies decide which
servers are allowed to send emails using
their domain, the name that appears in
a company’s dot com address. When
someone receives an e-mail sent with
SPF, that person’s e-mail provider then
retrieves a list of the servers authorized
to send email from the purported
sender’s domain. If the email message
is indeed from a server on that list, the
message is authentic.

DMARC adds an extra layer of
security on top of SPF and DKIM.
Companies that employ DMARC
publish a document (the DMARC
record) on their servers that e-mail
service providers query whenever a
user receives a message purportedly
from that company. The DMARC
record instructs e-mail providers
to send suspicious messages to a
receiver’s spam folder or to reject
them outright, which is the safest
thing to do.

DKIM
DKIM is a more complete email
authentication standard, offering
improved sender verification. Using
DKIM, companies inserting encrypted
signatures into their email messages.
Receivers then unlock these
signatures by looking up decryption
keys kept on the legitimate company’s
domain name server (DNS). DKIM
provides a reliable, domain-level
identifier that can survive email
forwarding (unlike SPF).

Agari TrustIndex

sent using a company’s domain
— information about where these
messages originate and where they
end up — to that company’s email
administrators. This helps companies
locate the source of fraudulent
messages and stop them.

DMARC, also, is also the only way for
a company to find out what happens
to every single email sent using its
domain name. Because emails may
originate from different departments
within a company or from third-party
senders, such as external marketers
and HR service providers, domainlevel tracking can be difficult.
Using DMARC, the receiver’s
e-mail provider forwards detailed
information about all the emails

14

Preventing forgery: How SPF,
DKIM and DMARC work
Fred has an email account with Freemail, a (fictitious) big free email provider
(like Yahoo or Gmail): [email protected]
1. An email addressed to Fred’s account arrives at Freemail, purportedly sent
from acmewidget.com.
2. Before putting the message in Fred’s inbox, Freemail looks to authenticate it
by checking against acmewidget.com’s SPF and DKIM records. (SPF and DKIM
are two different and complementary approaches to authentication - see p.X.)
The provider finds that the email does NOT authenticate.
3. Now the provider turns to acmewidget.com’s published DMARC policy to
determine what to do next.
A DMARC policy can dictate that the mail provider take no action, quarantine
the message, or reject it outright.
4. Acmewidget collects aggregate data on DMARC requests and results.
Reviewing this data helps the company when and how its domain is being
misused by spammers.

Agari TrustIndex

15

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close