Risk Management

06:28 PM
Connect Directly
Facebook
Google+
Twitter
RSS
E-Mail
50%
50%

122% Increase In Financial Services Cyberattacks During Q2

Up to 95% of data breaches start with a phishing email, according to the Agari Email TrustIndex Second Quarter 2013.

Fraudulent email attacks remain a high-level issue for corporations across all industries, with financial services leading the way when it comes to the increase in phishing attacks, according to a report from Agari, a provider of email security solutions.

The newly released Agari Email TrustIndex 2013 second quarter edition, from email security provider Agari, set out to identify which industries are the greatest targets and most vulnerable to to these email scams. This quarterly study also shows which industries are improving in their security efforts.

In a phone interview, Pat Peterson, Agari's CEO, says the report shows just how poorly may industries are responding to the issues. "We've been ringing the alarm bells, journalists too, and while our report shows progress it's not as much as we'd expect given the size of the problem."

For instance, Agari's study shows the financial community has been under increased attack in the past quarter. The data shows consumers are 7 times more likely to be the victim of an email attack from their bank versus any other sector. According to the press release, "threat levels increased 122% in the last ninety days, the most dramatic increase of any sector."

"When it first came out that the amount of attacks on financial service brands was more than doubling in a short period we thought it must be an error," said Peterson. "But we went in and double checked the data, sure enough cybercriminals had increased their efforts. It was a big surprise."

Fortunately, the data also shows financial companies are aggressively embracing DMARC (Domain-based Message Authentication, Reporting and Conformance) to defend their email channels, a move Agari finds encouraging. Agari used the degree of DMARC adoption to measure the trust of these emails, presented as the Agari TrustScore. The Agari ThreatScore measures relative risk based on malicious activity and attempted attacks.

Agari reports that U.S. Bank and Capital One helped raise the sector's TrustIndex score by 7% this quarter followed by American Express and PayPal. "A few laggards, however, prevented the sector's growth from reaching even higher heights," according to the release "Large retail and institutional banks have not focused on email authentication, weighing down the industry's performance, and larger banks as well are still wrestling with the early steps to get to full DMARC enabled authentication."

As many security professionals know, malicious phishing emails can install destructive or security breaching malware that record keystrokes or steal information. For those whose mailing lists are targeted by phishing schemers, the fragile threads of trust between firm and client become strained. This translates to lost business, and therefore remains a priority issue from both a security and marketing standpoint.

Know Your Enemy

According to Agari, the first step in building a defense is understanding the extent of problem, risks, threats and vulnerabilities.

In compiling the quarterly analysis Agari, which analyzes around a billion emails per year, pulled data over 90 days ending June 30, 2013. Quantifying those emails and categorizing by industry gave an interesting look at cybercrime trends.

An Educated Consumer Is The Best Customer?

Faced with increased phishing threats, many banks are searching for more and better ways to help protect customers. But what is a company to do when they realize their network has been used for an email phishing scam? Should they alert their consumers, try to educate them, or just put all their resources into their defenses? It's a toss up.

"Jane Consumer may not be as savvy as your Wall Street Journal readers and Tech enthusiasts. Having banks reach out and educate [customers] may not work there," said Peterson. "These businesses owe it to their consumers to put a stop to their criminal abilities that use its brand to defraud them. It's really that simple. Everyone who runs a business has a responsibility to increase the likelihood that their customers remain safe."

Mobile Immunity?

Luckily, criminals haven't gotten around to significantly infiltrating the mobile world yet. So, if you're part of the crowd that opens a majority of emails by phone, you may think you're immune to the phishing scams. And maybe you are, for now. "Today, if you're using your phone it's unlikely they are going after you. Unfortunately, just like the New York Times and Amazon are thinking of how they can monetize your phone use, the bad guys are doing the same thing," argues Peterson. "Criminals are realizing the ability to go after mobile users is going down, so they'll be more aggressively moving towards the mobile platform."

Numbers Don't Lie

So how do industries stack up in risk and trust? Agari's answers are quite illuminating.

The following sectors were measured using the trust and threat scores: Social Media, Financial Services, Logistics, E-Commerce, Travel and for the first time, Online Gaming.

In order of trust the highest rated firms are: Social Media, Logistics, Internet Commerce, Financial Services, Online Gaming, Travel. In order of risk (highest to lowest): Financial Services, Logistics, Online Gambling, Social Media, Internet Commerce, Travel. The graphs below are sourced from the press release.

Email Trust Risk

While all are interesting, social media deserves special attention thanks to its ability to stay on top of the security issue. One on hand, we may find this surprising because these are not exactly mature global enterprises. On the other, the technology community in these companies employ some of the best in the workforce, enabling the firms to deploy the latest technology to keep systems safe.

In the 2013 Q2 report the social media sector showed modest quarter over quarter growth in trust. Coupled with a low cyber defense threat score, the data suggests the industry is putting even more resources behind their email security. Facebook and Twitter recorded perfect scores. Instagram stepped up its defenses in the period coinciding with the Facebook integration. Meanwhile, MySpace received the lowest TrustScore, keeping the industry from achieving strong scores across the board.

More Findings and Theories

E-Commerce: A recent Gartner study shows that nearly 60% of consumers affected by a phishing attack lost trust in email and changed their online shopping behaviors. This can't be more important for any sector than it is for e-commerce. This may explain the spike in consumer protection programs that account for a 9% rise in the TrustIndex score over the last quarter. Movements were headed by eBay, Apple and Amazon.com, and perfect scores were awarded to Netflix and American Greetings. Dell, OfficeMax and Staples underperformed along with Sears and Best Buy.

Travel: The lowest rated of all studied sectors, travel came in with a TrustScore of 17 but showed significant improvement in TrustScore™, suggesting they are working to correct the issue. Delta Airlines came through as the industry leader in safeguarding its email channel. This is in contrast to American Airlines, SkyWest and JetBlue, which seem to have stopped making headway in preventing these types of attack.

Logistics: "The logistics sector posted an improvement in email authentication as its TrustScore rose 2.25 percent, continuing to lead as the sector with the second highest DMARC adoption rate," according to the press release. "Indeed, the sector's bellwether, the U.S. Postal Service, stepped up its commitment to protect consumer trust in the wake of the well-publicized phishing attack that spoofed the Internal Revenue Service in early April." FedEx's heavy investment in DMARC earned the firm a perfect score, bolstering the entire industry

Online Gaming: This sector was one of the poorer performers this quarter, "weighed down as a whole by companies failing to successfully implement any email security," according to the press release. "The solitary bright spot came from Blizzard / World of Warcraft, which has solid email authentication practices in place. Not seeing more participation is concerning given that gaming has a significant kids audience that may not be savvy to distinguishing between valid and malicious email."

View TrustIndex results in an infographic here. Becca Lipman is Senior Editor for Wall Street & Technology. She writes in-depth news articles with a focus on big data and compliance in the capital markets. She regularly meets with information technology leaders and innovators and writes about cloud computing, datacenters, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AnonymousMan
50%
50%
AnonymousMan,
User Rank: Apprentice
8/23/2013 | 8:03:49 PM
re: 122% Increase In Financial Services Cyberattacks During Q2
DMARC is a way for an organization to prevent attackers from spoofing e-mail addresses. There's value there, but it's being sold as something entirely different which is what bugs me most. I also think it's a terrible solution architecturally, but I don't want to go down that rabbit hole. Another little secret you won't hear being talked about...it's primarily only being enforced at the big free mail providers(e.g. gmail, etc) and some large ISPs. Last time I checked, none of the prominent enterprise email gateways even supported DMARC enforcement. When I asked our top tier vendor about it, all I got was "just create the records" response, which completely ignores the fact that I can't enforce DMARC on MY edge to protect my thousands of users. Doesn't it seem odd to you that this fancy new solution to "authenticating email" and "preventing phishing" isn't actually supported on enterprise mail gateways? Those "laggards" couldn't enforce DMARC if they wanted to. Think about that one for a bit because the real motives for DMARC are hidden behind those pushing hardest for it. I'm not trying to suggest that DMARC and it's supporters have some evil agenda BTW, only that they're bending the truth of what it does to suit their agenda. Bottom line to financial services organizations: DMARC enforcement by the large ISPs and ESPs will prevent miscreants from spoofing your email domain when the recipient is one of their users, it will not otherwise prevent miscreants from spoofing your domain or phishing your brand. There are reasons to do it, they're just not the ones being hyped.
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Apprentice
8/23/2013 | 5:59:31 PM
re: 122% Increase In Financial Services Cyberattacks During Q2
True. There are many ways that attackers can exploit unwary consumers. DMARC is just one way to close a single loophole. There is no one solution that will reduce or prevent phishing. Firms need to deploy many different forms of protection to minimize the overall number of attacks, and DMARC is just one of dozens of tools that companies could use.
AnonymousMan
50%
50%
AnonymousMan,
User Rank: Apprentice
8/22/2013 | 8:49:38 PM
re: 122% Increase In Financial Services Cyberattacks During Q2
Agari just wants to sell their services. Guess what, DMARC DOES NOT and CAN NOT prevent phishing or attackers from misusing your brand. In the long run, it won't even REDUCE the number of phishing attacks. Why? Because all it does is make sure no one can spoof the email address. It doesn't authorize or validate the actual content of the message, and that's what matters. The vast majority of phishing attacks already DO NOT pretend to come from a legit source. They don't need to since most consumers don't pay attention to it anyway. The ones that do will simply send the same messages with different "from" addresses and *poof*, DMARC doesn't do anything again.
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Apprentice
8/1/2013 | 5:33:53 PM
re: 122% Increase In Financial Services Cyberattacks During Q2
Consumers are, by far, the worst when it comes to security. We hate passwords (then we forget them), and God forbid if a site requires 2-factor authentication...we will never use it.

Banks realize this and no matter how much they try to educate the consumer, they realize that the bank needs to do most of the legwork when it comes to security.

However, banks are starting to hold consumers responsible financially if the fraud happened because the customer did something wrong (shared a password), or something similar. That is one way to get the customer's attention!
Becca L
50%
50%
Becca L,
User Rank: Author
8/1/2013 | 4:20:20 PM
re: 122% Increase In Financial Services Cyberattacks During Q2
I also agree with his "Jane Consumer" example but even the tech savvy are at risk when you consider the people behind these attacks are every bit as intelligent, if not more. Defense on the part of the firms will certainly be more effective than large scale education. That's probably why we, the public, hear so little about this issue.
Byurcan
50%
50%
Byurcan,
User Rank: Author
8/1/2013 | 2:43:02 PM
re: 122% Increase In Financial Services Cyberattacks During Q2
Hard to believe email phishing scams, which have been around since Seinfeld was still airing original episodes, still are so effective. The common thing people say we need is more consumer education, but interesting that Peterson says that may not be so effective with "Jane Consumer." I'm inclined to agree with him.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video
Inside Abel Noser's Trading Floor
Inside Abel Noser's Trading Floor
Advanced Trading takes you on an exclusive tour of Abel Noser's New York trading floor, where the agency broker known for transaction cost analysis, is customizing algorithms for the buy side, while growing its fixed income trading and transitions business.