3The State of Email Trust 2014Executive summaryA big year for email threatsEmail security improved somewhat in 2014, but most companies still haven’t implemented technology thatprevents cyber criminals from sending messages that appear to come from their domains — a failure thatleaves customers vulnerable to phishing attacks.
Comments
Content
The State of Email Trust 2014
The State of Email Trust 2014
Inside this report
04 Key findings
05 The year in numbers
10 TrustScores for industries and specific companies
12 Agari’s methodology
14 How DMARC works
The State of Email Trust 2014
2
Executive summary
A big year for email threats
Email security improved somewhat in 2014, but most companies still haven’t implemented technology that
prevents cyber criminals from sending messages that appear to come from their domains — a failure that
leaves customers vulnerable to phishing attacks.
In 2014, cyber criminals’ primary target were customers of major banks, sending emails that looked like
they came from these institutions at a higher rate than any other industry.
In Q1 and Q2, the attacks focused on customers of the largest U.S. banks. Then, as these attacks tapered
off in Q3, email-spoofing attacks against the customers of Europe’s largest banks increased nearly fivefold.
These spikes illustrate the unpredictability and brute force of email forgers as they decide which industries
to target and when.
The payments industry, including credit-card and digital-wallet companies, saw a 23-fold increase in
malicious email attacks against its customers between the second and fourth quarters of last year.
These emails trick people into sharing sensitive information with hackers, leading to identity theft and
other crimes. Because victims of phishing attacks often blame the companies they thought sent the forged
emails, the attacks also erode the trust companies spend years building with customers.
Progress on the security side has been steady but slow. The use of the three major email authentication
standards (SPF, DKIM and DMARC) crept upward. At the beginning of 2014, seven companies had perfect
TrustScores, indicating full implementation of DMARC best practices. By the end of the year, 13 had earned
a perfect mark. That’s good news for those companies (and their customers), but it’s concerning these
standards aren’t more widely adopted.
These and other findings come from the Agari TrustIndex, an exclusive research study based on analysis of
more than 6.5 billion emails each day throughout 2014.
The State of Email Trust 2014
3
Key findings
Toxic emails from your healthinsurance provider, counterfeits
from your bank
Hackers play hide and seek
The companies you trust may
be vulnerable
Overall, an email that appears to come from a
healthcare company is 4 times more likely to be
fraudulent than an email purportedly from a
social-media company like Facebook.
Email phishers and spammers tend to attack
industries and their customers in swarms, moving
from one sector to the next with little predictability.
Hackers know the value of surprise.
Many well-known brands haven’t implemented
basic measures to prevent email spoofing.
As DMARC usage continues to rise in 2015,
companies that fail to adopt it will become
more appealing targets.
Nearly 30% of healthcare
companies surveyed received a
Banks, payment companies,
airlines, etailers:
TrustScore of zero.
nobody is safe
from attacks
The State of Email Trust 2014
More than 75% of all
companies surveyed are
at risk
of email spoofing.
4
The year in numbers
What is the biggest threat to your inbox?
AVERAGE TRUSTSCORE PER SECTOR IN 2014
Healthcare
An email “from” your
health insurance company
is 4x more likely to be
fraudulent than an email
purportedly from a social
media company.
17
33
Large Banks
Mega Banks
An email “from” a
large American bank
is 2x more likely to be
fraudulent than an email
purportedly from a social
media company.
An email “from” an
American mega bank
is 1.5x more likely to
fraudulent than an email
purportedly from a social
media company.
36
Logistics
37
42
46
Payments
47
50
Social
63
LOW
TRUSTSCORE
67
HIGH
TRUSTSCORE
European Banks
Though most of the largest
email providers have enabled
DMARC, only 13 of the 147
companies surveyed had
perfect TrustScores in 2014.
Most industries have done little
to protect their customers from
malicious emailers.
The State of Email Trust 2014
Airlines
Airlines and large
American banks had the
worst levels of DMARC
implementation by the
end of 2014, meaning it
is relatively risky to open
an email that comes from
most airlines or most
major U.S. banks.
6.5 billion emails
analyzed daily
Travel
Retail
Etailers
TrustScore
The TrustScore measures a company’s implementation
of three important email security protocols: SPF, DKIM
and DMARC. Companies scoring greater than 50 have
at least some level of DMARC implementation.
5
KEY FINDING #1
Toxic emails from your health-insurance
provider, counterfeits from your bank
The companies with your most personal data are behind in
protecting against forged email messages
Healthcare Companies
Despite a spate of worrisome healthcare cybersecurity news last year, the
healthcare industry had the worst average TrustScore of the 11 industries
surveyed, with four of the 14 such companies surveyed scoring zero.
Nearly 30% of healthcare
companies surveyed received
a TrustScore of zero.
Banks
Email attackers aimed their sights at banks and other financial institutions
more than any other type of company in 2014. The banks surveyed tended to
have a low average TrustScore.
European banks, whose customers are some of malicious emailers’ most
common targets, fared especially poorly, with the second-lowest average
TrustScore (33) of the industries surveyed for this report.
The 14 largest U.S. banks by assets, or mega banks, only scored an average
46 out of a possible 100 points. Other large U.S. banks averaged a 36.
The Exceptions
One healthcare company was an exception. Aetna earned a perfect
100 TrustScore in Q3 and stayed there in Q4, remarkable for a
company in any sector.
Two banks, Chase and Capital One, received a 100 TrustScore
throughout the entire year.
The State of Email Trust 2014
6
KEY FINDING #2
Hackers play hide and seek
Email phishers and spammers spoof industries in swarms.
They move from one sector to the next with little predictability.
Companies don’t know when attacks will happen, but when they come,
they may well be tsunamis. In 2014, every industry Agari surveyed, with the
exception of social media, had at least one quarter when spammers and
phishers spoofed their domains much more than average. A ThreatScore
measures the amount of fraudulent email sent using a company’s domain.
Customers of American mega banks faced an onslaught of email attacks in Q1,
forcing that industry’s average ThreatScore up to 17, the highest of all sectors
that quarter. In Q2, they again had the highest average ThreatScore (15). But
then in Q3 the number of email attacks against their customers suddenly
dropped, and the industry’s average ThreatScore fell to 1, demonstrating
cyberattackers’ unpredictability.
A similar pattern held for the payments industry, which had a ThreatScore
under 2 until Q3 and Q4, when the number jumped to 23 and 39, respectively,
making payments customers almost 13x more likely to be attacked by
malicious emailers in Q4 than the second-most attacked industry.
European banks saw their ThreatScore rise from 2 in Q1 to 30 in Q3 and
then back down in Q4 to 3, demonstrating again the unpredictability of
the cyberattacks.
The State of Email Trust 2014
Q1 RELATIVE EMAIL RISK BY INDUSTRY
American mega banks
18
3
European banks
Q3 RELATIVE EMAIL RISK BY INDUSTRY
1
American mega banks
31
European banks
!
ThreatScore
The ThreatScore measures the amount of spam
and potentially malicious email sent to consumers
fraudulently using a company’s domain. Agari analyzes
millions of messages per company per quarter.
7
KEY FINDING #3
The companies you trust
may be vulnerable
Companies slow to implement DMARC are likely
to be spoofing targets as they fall behind
A high TrustScore means a company has implemented security measures that
make it difficult for cyber criminals to send emails that appear to come from
its domain.
The TrustScore is based on a company’s progress implementing the three major
email security protocols: SPF, DKIM and DMARC. DMARC is the newest of these
protocols, protecting a domain from being spoofed and taken over by hackers.
In most sectors, there was slow but steady growth in DMARC implementation.
In addition, the adoption of DMARC by major email providers indicates that
the protocol is becoming their standard for protecting users from spam and
phishing attacks.
In 2015, companies that fail to implement DMARC will become easy spoofing
targets and attackers and will try to exploit their weakness.
Customers of more
than 75% of all
companies surveyed
are at high risk of
malicious email
attacks.
The average TrustScore
across all 147 companies
analyzed increased from
41 to 45 in 2014.
• 52 companies, or 35%, had a TrustScore of
51 or higher by Q4, meaning they have at
least average email security
• 34 companies, or 25%, had a TrustScore
of 75 or higher by Q4 meaning they have
strong email security
• 13 companies, or less than 10%, had a
perfect 100 TrustScore in Q4
Companies with 100 TrustScores in Q4 2014
Mega banks: Chase, Capital One Etailer: Newegg, Netflix Social: Facebook, Twitter, Instagram,
Pinterest B2B: Docusign Logistics: UPS, Fedex Healthcare: Aetna Payments: Western Union
The State of Email Trust 2014
8
DMARC is the new standard
Over 80% of U.S. consumer inboxes
are DMARC enabled, thanks to DMARC
implementation by companies like Google,
Yahoo! and Microsoft.
At the end of the year, the
top three sectors for DMARC
implementation were:
• Social
Worldwide, over 70% of consumer email inboxes — that’s 2.5 billion inboxes
— allow senders to use DMARC verification. DMARC guarantees that a user’s
inbox will reject all emails it detects from spoofers, rather than just sending the
message to spam or letting it through.
Unsurprisingly, internet giants in the social and etail sectors seem to have an
especially strong grasp of email’s inherent vulnerability, and they’ve taken more
steps than others to prevent email attacks against their customers.
In social, Facebook and Twitter have especially high scores for their
implementation of DMARC best practices. In retail, Netflix, Newegg and
Amazon score high. Also, a few leading logistics companies (UPS, FedEx and
DHL) have made DMARC integral to their customer-facing email systems,
boosting their overall TrustScores higher than average.
The State of Email Trust 2014
• Logistics
• U.S. Mega Banks
The lowest scoring
sectors were:
• Airlines
• Healthcare
• Traditional Retail
• Travel
• Large U.S. Banks & European Banks
9
Industry TrustScore rankings
Safe
(TrustScore > 75)
At Risk
(50 < TrustScore < 75)
Aetna
Booking.com
Facebook
Instagram
Newegg.com
UPS
Amazon
Capital One
Fedex
Visa
Classmates
Flixter
JP Morgan
Chase
Paypal
American
Express
Sainsburys
Vista Print
Shutterfly
Western Union
Apple
Ancestry.com
DHL
Jetblue
Overstock
Sun Trust
Bank of
America
Discover
John Lewis
Pinterest
Svenska Bank
Etsy
Kayak
Priceline
Target
Fanatics
KBC Bank
Ratuken.com
Tesco
Flickr
Key Bank
Rental Cars
Travelocity
Gap
Macys
SalesForce.com
Travelzoo
GreenDot
MySpace
Sony
Trip Advisor
Hotels.com
Northern Trust
StumbleUpon
US Bank
AirTran
Cigna
Market America
Shop Direct
United Airlines
Ally Bank
Citizens Bank
HCA
Healthcare
Marriott
SKY/SKY Bet
Mastercard
SkyWest
United
Healthcare
Moneygram
Square
Office Depot
Staples
Office Max
State Street
Corporation
Best Buy
BMO Harris
Box
American
Airlines
Anthem Blue
Cross
Bank of the
West
BB&T Bank
BNY Mellon
BookingBuddy
Braintree
CDW
Centura Health
CheapOair
The State of Email Trust 2014
Netflix
Groupon
Costco
(TrustScore < 50)
Google+
DocuSign
Citi Bank
Vulnerable
Delta Airlines
LinkedIn
Comerica
Community
Health System
Dell
Deutsche Bank
DeviantArt
Dwolla
Expedia
Fifth Third
Bank
Gilt Group
Grainger
Health South
Healthcare
Service Corp
Hilton
Hotwire
HSBC Bank
Humana
Kaiser
Permanente
OnTrac
Peapod
PNC Bank
Pods
Twitter
Stripe
Svcs
Tagged
TD Bank
Kindred
Healthcare
Royal Bank of
Scotland
Ladbrokes
Schroders
Uhaul
Last.fm
Sears
Union Bank
TNT Express
US Postal
Service
Virgin America
Wells Fargo
Wayfair
William Hill
Wonga.com
Universal
Health
US Airways
Walmart
Wealthfront
WellPoint
WePay
Xero
Zuora
10
Industry ranking
Listed in order from the highest scoring industries to the lowest
21%
20%
40%
50%
29%
13%
25%
27%
25%
40%
Social
Etailers
50%
60%
Payments
Logistics
7%
7%
25%
36%
43%
62%
50%
50%
13%
93%
14%
Mega Banks
Airlines
25%
Travel
25%
38%
40%
54%
Healthcare
Safe (TrustScore > 75)
62%
75%
75%
At Risk (50 < TrustScore < 75)
6%
Retail
The State of Email Trust 2014
Large Banks
European Banks
Vulnerable (TrustScore < 50)
11
About the state of Email Trust 2014
Calculating the
TrustScore:
Agari looks at the use of email authentication standards,
including SPF, DKIM, and DMARC, by each company in this
report. Only companies that implement all three standards
with some level of success can achieve scores in the highest
tiers. Of the three security protocols, most weight is given
to DMARC, the newest and most secure of the protocols.
Companies with DMARC policies that prohibit all potentially
fraudulent messages from reaching even a user’s spam folder
and companies with DMARC procedures that send thorough
spam and phishing reports to their email administrators score
the highest.
The State of Email Trust 2014
!
Calculating the
ThreatScore:
Agari calculates the volume of spam and other malicious
email fraudulently sent using a company’s domain names
and compares these data with that of other companies in
the dataset. The data analyzed comes from millions of
email messages.
12
The TrustScore measures these
security protocols
SPF
DMARC
SPF is an email authentication standard
that lets companies decide which
servers are allowed to send emails
using their domain, the name that
appears in a company’s dot com
address. When someone receives an
email sent with SPF, that person’s email
provider then retrieves a list of the
servers authorized to send email from
the purported sender’s domain. If the
email message is indeed from a server
on that list, the message is authentic.
DMARC adds an extra layer of
security on top of SPF and DKIM.
Companies that employ DMARC
publish a document (the DMARC
record) on their servers that email
service providers query whenever a
user receives a message purportedly
from that company. The DMARC
record instructs email providers
to send suspicious messages to a
receiver’s spam folder or to reject
them outright, which is the safest
thing to do.
DKIM
DKIM is a more complete email
authentication standard, offering
improved sender verification. Using
DKIM, companies inserting encrypted
signatures into their email messages.
Receivers then unlock these
signatures by looking up decryption
keys kept on the legitimate company’s
domain name server (DNS). DKIM
provides a reliable, domain-level
identifier that can survive email
forwarding (unlike SPF).
The State of Email Trust 2014
sent using a company’s domain
— information about where these
messages originate and where they
end up — to that company’s email
administrators. This helps companies
locate the source of fraudulent
messages and stop them.
DMARC, also, is also the only way for
a company to find out what happens
to every single email sent using its
domain name. Because emails may
originate from different departments
within a company or from third-party
senders, such as external marketers
and HR service providers, domainlevel tracking can be difficult.
Using DMARC, the receiver’s
email provider forwards detailed
information about all the emails
13
Preventing forgery: How SPF,
DKIM and DMARC work
Fred has an email account with Gmail.
1. An email that appears to come from acmewidget.com is sent to Fred’s
Acmewidget.com
Service Provider:
Gmail
Gmail account.
2. B
efore putting the message in Fred’s inbox, Gmail looks to authenticate
it by checking against acmewidget.com’s SPF and DKIM records.
(SPF and DKIM are two different and complementary approaches to
authentication) Gmail finds that the email does NOT authenticate.
3. N
ow Gmail turns to acmewidget.com’s published DMARC policy to
determine what to do next. A DMARC policy can dictate that the mail
provider take no action, quarantine the message, or reject it outright.
Do SPF or DKIM prove this message was sent by acmewidget.com?
Yes
No
Email delivered
P = No action
Check published DMARC policy
4. A
cmewidget collects aggregate data on DMARC requests and results.
Reviewing these data helps the company when and how its domain is
being misused by spammers.
P = Quarantine
P = Reject
Gmail sends a daily report of passes and failures to acmewidget.com