State of Email Trust 2014

The State of Email Trust 2014

The State of Email Trust 2014

Inside this report
04 Key findings
05 The year in numbers
10 TrustScores for industries and specific companies
12 Agari’s methodology
14 How DMARC works

The State of Email Trust 2014

2

Executive summary
A big year for email threats
Email security improved somewhat in 2014, but most companies still haven’t implemented technology that
prevents cyber criminals from sending messages that appear to come from their domains — a failure that
leaves customers vulnerable to phishing attacks.
In 2014, cyber criminals’ primary target were customers of major banks, sending emails that looked like
they came from these institutions at a higher rate than any other industry.
In Q1 and Q2, the attacks focused on customers of the largest U.S. banks. Then, as these attacks tapered
off in Q3, email-spoofing attacks against the customers of Europe’s largest banks increased nearly fivefold.
These spikes illustrate the unpredictability and brute force of email forgers as they decide which industries
to target and when.
The payments industry, including credit-card and digital-wallet companies, saw a 23-fold increase in
malicious email attacks against its customers between the second and fourth quarters of last year.
These emails trick people into sharing sensitive information with hackers, leading to identity theft and
other crimes. Because victims of phishing attacks often blame the companies they thought sent the forged
emails, the attacks also erode the trust companies spend years building with customers.
Progress on the security side has been steady but slow. The use of the three major email authentication
standards (SPF, DKIM and DMARC) crept upward. At the beginning of 2014, seven companies had perfect
TrustScores, indicating full implementation of DMARC best practices. By the end of the year, 13 had earned
a perfect mark. That’s good news for those companies (and their customers), but it’s concerning these
standards aren’t more widely adopted.
These and other findings come from the Agari TrustIndex, an exclusive research study based on analysis of
more than 6.5 billion emails each day throughout 2014.

The State of Email Trust 2014

3

Key findings

Toxic emails from your healthinsurance provider, counterfeits
from your bank

Hackers play hide and seek

The companies you trust may
be vulnerable

Overall, an email that appears to come from a
healthcare company is 4 times more likely to be
fraudulent than an email purportedly from a
social-media company like Facebook.

Email phishers and spammers tend to attack
industries and their customers in swarms, moving
from one sector to the next with little predictability.
Hackers know the value of surprise.

Many well-known brands haven’t implemented
basic measures to prevent email spoofing.
As DMARC usage continues to rise in 2015,
companies that fail to adopt it will become
more appealing targets.

Nearly 30% of healthcare
companies surveyed received a

Banks, payment companies,
airlines, etailers:

TrustScore of zero.

nobody is safe
from attacks

The State of Email Trust 2014

More than 75% of all
companies surveyed are

at risk
of email spoofing.

4

The year in numbers
What is the biggest threat to your inbox?
AVERAGE TRUSTSCORE PER SECTOR IN 2014
Healthcare
An email “from” your
health insurance company
is 4x more likely to be
fraudulent than an email
purportedly from a social
media company.

17

33

Large Banks

Mega Banks

An email “from” a
large American bank
is 2x more likely to be
fraudulent than an email
purportedly from a social
media company.

An email “from” an
American mega bank
is 1.5x more likely to
fraudulent than an email
purportedly from a social
media company.

36

Logistics

37

42

46

Payments

47

50

Social

63

LOW
TRUSTSCORE

67
HIGH
TRUSTSCORE

European Banks

Though most of the largest
email providers have enabled
DMARC, only 13 of the 147
companies surveyed had
perfect TrustScores in 2014.
Most industries have done little
to protect their customers from
malicious emailers.
The State of Email Trust 2014

Airlines
Airlines and large
American banks had the
worst levels of DMARC
implementation by the
end of 2014, meaning it
is relatively risky to open
an email that comes from
most airlines or most
major U.S. banks.

6.5 billion emails
analyzed daily

Travel

Retail

Etailers

TrustScore
The TrustScore measures a company’s implementation
of three important email security protocols: SPF, DKIM
and DMARC. Companies scoring greater than 50 have
at least some level of DMARC implementation.

5

KEY FINDING #1

Toxic emails from your health-insurance
provider, counterfeits from your bank
The companies with your most personal data are behind in
protecting against forged email messages
Healthcare Companies
Despite a spate of worrisome healthcare cybersecurity news last year, the
healthcare industry had the worst average TrustScore of the 11 industries
surveyed, with four of the 14 such companies surveyed scoring zero.

Nearly 30% of healthcare
companies surveyed received
a TrustScore of zero.

Banks
Email attackers aimed their sights at banks and other financial institutions
more than any other type of company in 2014. The banks surveyed tended to
have a low average TrustScore.
European banks, whose customers are some of malicious emailers’ most
common targets, fared especially poorly, with the second-lowest average
TrustScore (33) of the industries surveyed for this report.
The 14 largest U.S. banks by assets, or mega banks, only scored an average
46 out of a possible 100 points. Other large U.S. banks averaged a 36.

The Exceptions
One healthcare company was an exception. Aetna earned a perfect
100 TrustScore in Q3 and stayed there in Q4, remarkable for a
company in any sector.
Two banks, Chase and Capital One, received a 100 TrustScore
throughout the entire year.

The State of Email Trust 2014

6

KEY FINDING #2

Hackers play hide and seek
Email phishers and spammers spoof industries in swarms.
They move from one sector to the next with little predictability.
Companies don’t know when attacks will happen, but when they come,
they may well be tsunamis. In 2014, every industry Agari surveyed, with the
exception of social media, had at least one quarter when spammers and
phishers spoofed their domains much more than average. A ThreatScore
measures the amount of fraudulent email sent using a company’s domain.
Customers of American mega banks faced an onslaught of email attacks in Q1,
forcing that industry’s average ThreatScore up to 17, the highest of all sectors
that quarter. In Q2, they again had the highest average ThreatScore (15). But
then in Q3 the number of email attacks against their customers suddenly
dropped, and the industry’s average ThreatScore fell to 1, demonstrating
cyberattackers’ unpredictability.
A similar pattern held for the payments industry, which had a ThreatScore
under 2 until Q3 and Q4, when the number jumped to 23 and 39, respectively,
making payments customers almost 13x more likely to be attacked by
malicious emailers in Q4 than the second-most attacked industry.
European banks saw their ThreatScore rise from 2 in Q1 to 30 in Q3 and
then back down in Q4 to 3, demonstrating again the unpredictability of
the cyberattacks.

The State of Email Trust 2014

Q1 RELATIVE EMAIL RISK BY INDUSTRY
American mega banks

18
3

European banks

Q3 RELATIVE EMAIL RISK BY INDUSTRY
1

American mega banks

31

European banks

!

ThreatScore
The ThreatScore measures the amount of spam
and potentially malicious email sent to consumers
fraudulently using a company’s domain. Agari analyzes
millions of messages per company per quarter.

7

KEY FINDING #3

The companies you trust
may be vulnerable
Companies slow to implement DMARC are likely
to be spoofing targets as they fall behind
A high TrustScore means a company has implemented security measures that
make it difficult for cyber criminals to send emails that appear to come from
its domain.
The TrustScore is based on a company’s progress implementing the three major
email security protocols: SPF, DKIM and DMARC. DMARC is the newest of these
protocols, protecting a domain from being spoofed and taken over by hackers.
In most sectors, there was slow but steady growth in DMARC implementation.
In addition, the adoption of DMARC by major email providers indicates that
the protocol is becoming their standard for protecting users from spam and
phishing attacks.
In 2015, companies that fail to implement DMARC will become easy spoofing
targets and attackers and will try to exploit their weakness.

Customers of more
than 75% of all
companies surveyed
are at high risk of
malicious email
attacks.

The average TrustScore
across all 147 companies
analyzed increased from
41 to 45 in 2014.
• 52 companies, or 35%, had a TrustScore of
51 or higher by Q4, meaning they have at
least average email security
• 34 companies, or 25%, had a TrustScore
of 75 or higher by Q4 meaning they have
strong email security
• 13 companies, or less than 10%, had a
perfect 100 TrustScore in Q4

Companies with 100 TrustScores in Q4 2014

Mega banks: Chase, Capital One Etailer: Newegg, Netflix Social: Facebook, Twitter, Instagram,
Pinterest B2B: Docusign Logistics: UPS, Fedex Healthcare: Aetna Payments: Western Union
The State of Email Trust 2014

8

DMARC is the new standard
Over 80% of U.S. consumer inboxes
are DMARC enabled, thanks to DMARC
implementation by companies like Google,
Yahoo! and Microsoft.

At the end of the year, the
top three sectors for DMARC
implementation were:
• Social

Worldwide, over 70% of consumer email inboxes — that’s 2.5 billion inboxes
— allow senders to use DMARC verification. DMARC guarantees that a user’s
inbox will reject all emails it detects from spoofers, rather than just sending the
message to spam or letting it through.
Unsurprisingly, internet giants in the social and etail sectors seem to have an
especially strong grasp of email’s inherent vulnerability, and they’ve taken more
steps than others to prevent email attacks against their customers.
In social, Facebook and Twitter have especially high scores for their
implementation of DMARC best practices. In retail, Netflix, Newegg and
Amazon score high. Also, a few leading logistics companies (UPS, FedEx and
DHL) have made DMARC integral to their customer-facing email systems,
boosting their overall TrustScores higher than average.

The State of Email Trust 2014

• Logistics
• U.S. Mega Banks

The lowest scoring
sectors were:
• Airlines
• Healthcare
• Traditional Retail
• Travel
• Large U.S. Banks & European Banks

9

Industry TrustScore rankings
Safe
(TrustScore > 75)

At Risk
(50 < TrustScore < 75)

Aetna

Booking.com

Facebook

Instagram

Newegg.com

UPS

Amazon

Capital One

Fedex

Visa

Classmates

Flixter

JP Morgan
Chase

Paypal

American
Express

Sainsburys

Vista Print

Shutterfly

Western Union

Apple
Ancestry.com

DHL

Jetblue

Overstock

Sun Trust

Bank of
America

Discover

John Lewis

Pinterest

Svenska Bank

Etsy

Kayak

Priceline

Target

Fanatics

KBC Bank

Ratuken.com

Tesco

Flickr

Key Bank

Rental Cars

Travelocity

Gap

Macys

SalesForce.com

Travelzoo

GreenDot

MySpace

Sony

Trip Advisor

Hotels.com

Northern Trust

StumbleUpon

US Bank

AirTran

Cigna

Market America

Shop Direct

United Airlines

Ally Bank

Citizens Bank

HCA
Healthcare

Marriott

SKY/SKY Bet

Mastercard

SkyWest

United
Healthcare

Moneygram

Square

Office Depot

Staples

Office Max

State Street
Corporation

Best Buy
BMO Harris
Box

American
Airlines
Anthem Blue
Cross
Bank of the
West
BB&T Bank
BNY Mellon
BookingBuddy
Braintree
CDW
Centura Health
CheapOair

The State of Email Trust 2014

Netflix

Groupon

Costco

(TrustScore < 50)

Google+

DocuSign

Citi Bank

Vulnerable

Delta Airlines

LinkedIn

Comerica
Community
Health System
Dell
Deutsche Bank
DeviantArt
Dwolla
Expedia
Fifth Third
Bank
Gilt Group
Grainger

Health South
Healthcare
Service Corp
Hilton
Hotwire
HSBC Bank
Humana
Kaiser
Permanente

OnTrac
Peapod
PNC Bank
Pods

Twitter

Stripe
Svcs
Tagged
TD Bank

Kindred
Healthcare

Royal Bank of
Scotland

Ladbrokes

Schroders

Uhaul

Last.fm

Sears

Union Bank

TNT Express

US Postal
Service
Virgin America
Wells Fargo
Wayfair
William Hill
Wonga.com

Universal
Health
US Airways
Walmart
Wealthfront
WellPoint
WePay
Xero
Zuora

10

Industry ranking
Listed in order from the highest scoring industries to the lowest

21%

20%
40%

50%
29%

13%
25%
27%

25%

40%

Social

Etailers

50%

60%

Payments

Logistics

7%

7%
25%

36%

43%

62%

50%

50%

13%

93%

14%

Mega Banks

Airlines

25%

Travel

25%

38%

40%

54%

Healthcare

Safe (TrustScore > 75)
62%
75%

75%

At Risk (50 < TrustScore < 75)

6%

Retail

The State of Email Trust 2014

Large Banks

European Banks

Vulnerable (TrustScore < 50)

11

About the state of Email Trust 2014
Calculating the
TrustScore:
Agari looks at the use of email authentication standards,
including SPF, DKIM, and DMARC, by each company in this
report. Only companies that implement all three standards
with some level of success can achieve scores in the highest
tiers. Of the three security protocols, most weight is given
to DMARC, the newest and most secure of the protocols.
Companies with DMARC policies that prohibit all potentially
fraudulent messages from reaching even a user’s spam folder
and companies with DMARC procedures that send thorough
spam and phishing reports to their email administrators score
the highest.

The State of Email Trust 2014

!

Calculating the
ThreatScore:

Agari calculates the volume of spam and other malicious
email fraudulently sent using a company’s domain names
and compares these data with that of other companies in
the dataset. The data analyzed comes from millions of
email messages.

12

The TrustScore measures these
security protocols
SPF

DMARC

SPF is an email authentication standard
that lets companies decide which
servers are allowed to send emails
using their domain, the name that
appears in a company’s dot com
address. When someone receives an
email sent with SPF, that person’s email
provider then retrieves a list of the
servers authorized to send email from
the purported sender’s domain. If the
email message is indeed from a server
on that list, the message is authentic.

DMARC adds an extra layer of
security on top of SPF and DKIM.
Companies that employ DMARC
publish a document (the DMARC
record) on their servers that email
service providers query whenever a
user receives a message purportedly
from that company. The DMARC
record instructs email providers
to send suspicious messages to a
receiver’s spam folder or to reject
them outright, which is the safest
thing to do.

DKIM
DKIM is a more complete email
authentication standard, offering
improved sender verification. Using
DKIM, companies inserting encrypted
signatures into their email messages.
Receivers then unlock these
signatures by looking up decryption
keys kept on the legitimate company’s
domain name server (DNS). DKIM
provides a reliable, domain-level
identifier that can survive email
forwarding (unlike SPF).

The State of Email Trust 2014

sent using a company’s domain
— information about where these
messages originate and where they
end up — to that company’s email
administrators. This helps companies
locate the source of fraudulent
messages and stop them.

DMARC, also, is also the only way for
a company to find out what happens
to every single email sent using its
domain name. Because emails may
originate from different departments
within a company or from third-party
senders, such as external marketers
and HR service providers, domainlevel tracking can be difficult.
Using DMARC, the receiver’s
email provider forwards detailed
information about all the emails

13

Preventing forgery: How SPF,
DKIM and DMARC work
Fred has an email account with Gmail.
1. An email that appears to come from acmewidget.com is sent to Fred’s

Acmewidget.com

Service Provider:
Gmail

Gmail account.

2. B
 efore putting the message in Fred’s inbox, Gmail looks to authenticate
it by checking against acmewidget.com’s SPF and DKIM records.
(SPF and DKIM are two different and complementary approaches to
authentication) Gmail finds that the email does NOT authenticate.

3. N
 ow Gmail turns to acmewidget.com’s published DMARC policy to
determine what to do next. A DMARC policy can dictate that the mail
provider take no action, quarantine the message, or reject it outright.

Do SPF or DKIM prove this message was sent by acmewidget.com?

Yes

No

Email delivered

P = No action

Check published DMARC policy

4. A
 cmewidget collects aggregate data on DMARC requests and results.
Reviewing these data helps the company when and how its domain is
being misused by spammers.

P = Quarantine

P = Reject

Gmail sends a daily report of passes and failures to acmewidget.com

The State of Email Trust 2014

14