Fraudulent email attacks remain a high-level issue for corporations across all industries, with financial services leading the way when it comes to the increase in phishing attacks, according to a report from Agari, a provider of email security solutions.
The newly released Agari Email TrustIndex 2013 second quarter edition, from email security provider Agari, set out to identify which industries are the greatest targets and most vulnerable to to these email scams. This quarterly study also shows which industries are improving in their security efforts.
In a phone interview, Pat Peterson, Agari's CEO, says the report shows just how poorly may industries are responding to the issues. "We've been ringing the alarm bells, journalists too, and while our report shows progress it's not as much as we'd expect given the size of the problem."
For instance, Agari's study shows the financial community has been under increased attack in the past quarter. The data shows consumers are 7 times more likely to be the victim of an email attack from their bank versus any other sector. According to the press release, "threat levels increased 122% in the last ninety days, the most dramatic increase of any sector."
"When it first came out that the amount of attacks on financial service brands was more than doubling in a short period we thought it must be an error," said Peterson. "But we went in and double checked the data, sure enough cybercriminals had increased their efforts. It was a big surprise."
Fortunately, the data also shows financial companies are aggressively embracing DMARC (Domain-based Message Authentication, Reporting and Conformance) to defend their email channels, a move Agari finds encouraging. Agari used the degree of DMARC adoption to measure the trust of these emails, presented as the Agari TrustScore. The Agari ThreatScore measures relative risk based on malicious activity and attempted attacks.
Agari reports that U.S. Bank and Capital One helped raise the sector's TrustIndex score by 7% this quarter followed by American Express and PayPal. "A few laggards, however, prevented the sector's growth from reaching even higher heights," according to the release "Large retail and institutional banks have not focused on email authentication, weighing down the industry's performance, and larger banks as well are still wrestling with the early steps to get to full DMARC enabled authentication."
As many security professionals know, malicious phishing emails can install destructive or security breaching malware that record keystrokes or steal information. For those whose mailing lists are targeted by phishing schemers, the fragile threads of trust between firm and client become strained. This translates to lost business, and therefore remains a priority issue from both a security and marketing standpoint.
Know Your Enemy
According to Agari, the first step in building a defense is understanding the extent of problem, risks, threats and vulnerabilities.
In compiling the quarterly analysis Agari, which analyzes around a billion emails per year, pulled data over 90 days ending June 30, 2013. Quantifying those emails and categorizing by industry gave an interesting look at cybercrime trends.
An Educated Consumer Is The Best Customer?
Faced with increased phishing threats, many banks are searching for more and better ways to help protect customers. But what is a company to do when they realize their network has been used for an email phishing scam? Should they alert their consumers, try to educate them, or just put all their resources into their defenses? It's a toss up.
"Jane Consumer may not be as savvy as your Wall Street Journal readers and Tech enthusiasts. Having banks reach out and educate [customers] may not work there," said Peterson. "These businesses owe it to their consumers to put a stop to their criminal abilities that use its brand to defraud them. It's really that simple. Everyone who runs a business has a responsibility to increase the likelihood that their customers remain safe."
Luckily, criminals haven't gotten around to significantly infiltrating the mobile world yet. So, if you're part of the crowd that opens a majority of emails by phone, you may think you're immune to the phishing scams. And maybe you are, for now. "Today, if you're using your phone it's unlikely they are going after you. Unfortunately, just like the New York Times and Amazon are thinking of how they can monetize your phone use, the bad guys are doing the same thing," argues Peterson. "Criminals are realizing the ability to go after mobile users is going down, so they'll be more aggressively moving towards the mobile platform."
Numbers Don't Lie
So how do industries stack up in risk and trust? Agari's answers are quite illuminating.
The following sectors were measured using the trust and threat scores: Social Media, Financial Services, Logistics, E-Commerce, Travel and for the first time, Online Gaming.
In order of trust the highest rated firms are: Social Media, Logistics, Internet Commerce, Financial Services, Online Gaming, Travel. In order of risk (highest to lowest): Financial Services, Logistics, Online Gambling, Social Media, Internet Commerce, Travel. The graphs below are sourced from the press release.
While all are interesting, social media deserves special attention thanks to its ability to stay on top of the security issue. One on hand, we may find this surprising because these are not exactly mature global enterprises. On the other, the technology community in these companies employ some of the best in the workforce, enabling the firms to deploy the latest technology to keep systems safe.
In the 2013 Q2 report the social media sector showed modest quarter over quarter growth in trust. Coupled with a low cyber defense threat score, the data suggests the industry is putting even more resources behind their email security. Facebook and Twitter recorded perfect scores. Instagram stepped up its defenses in the period coinciding with the Facebook integration. Meanwhile, MySpace received the lowest TrustScore, keeping the industry from achieving strong scores across the board.
More Findings and Theories
E-Commerce: A recent Gartner study shows that nearly 60% of consumers affected by a phishing attack lost trust in email and changed their online shopping behaviors. This can't be more important for any sector than it is for e-commerce. This may explain the spike in consumer protection programs that account for a 9% rise in the TrustIndex score over the last quarter. Movements were headed by eBay, Apple and Amazon.com, and perfect scores were awarded to Netflix and American Greetings. Dell, OfficeMax and Staples underperformed along with Sears and Best Buy.
Travel: The lowest rated of all studied sectors, travel came in with a TrustScore of 17 but showed significant improvement in TrustScore™, suggesting they are working to correct the issue. Delta Airlines came through as the industry leader in safeguarding its email channel. This is in contrast to American Airlines, SkyWest and JetBlue, which seem to have stopped making headway in preventing these types of attack.
Logistics: "The logistics sector posted an improvement in email authentication as its TrustScore rose 2.25 percent, continuing to lead as the sector with the second highest DMARC adoption rate," according to the press release. "Indeed, the sector's bellwether, the U.S. Postal Service, stepped up its commitment to protect consumer trust in the wake of the well-publicized phishing attack that spoofed the Internal Revenue Service in early April." FedEx's heavy investment in DMARC earned the firm a perfect score, bolstering the entire industry
Online Gaming: This sector was one of the poorer performers this quarter, "weighed down as a whole by companies failing to successfully implement any email security," according to the press release. "The solitary bright spot came from Blizzard / World of Warcraft, which has solid email authentication practices in place. Not seeing more participation is concerning given that gaming has a significant kids audience that may not be savvy to distinguishing between valid and malicious email."
View TrustIndex results in an infographic here.