Email from social media safest, financial services riskiest

Email from social media brands is some of the safest on the Internet, while electronic posts from financial services brands is some of the riskiest, says a report released this week by an email security provider.

"Consumers may be worried about their privacy settings, but in terms of protecting consumers via email, social media is the clear leader," said the report from Agari, which analyzed more than a trillion emails during the second quarter of this year.

Agari uses that analysis to create a Trust Index for email in financial services, e-commerce, social media, travel, logistics and gaming industries.

The index is based on a Trust Score -- a reflection of the adoption and deployment of security measures in an industry to protect its customers from malicious email -- and a Threat Score -- which provides a measure of relative risk based on malicious activity and attempted attacks.

Social media led all industry sectors during the June quarter with a Trust Score of 73.1, out of a possible 100.

Ranking companies and industries based on the ThreatScore, and TrustScore benchmarks gives consumers and leading brands visibility into how aggressively a sector is being threatened and which companies are taking action to secure email and protect consumer data and trust, the report explained.

"Social media has been far more aggressive about protecting their customers and far more responsive to keep up with the technologies available to protect their customers," Agari founder and CEO Patrick Peterson said in an interview.

Among those technologies is DMARC (Domain-based Message Authentication, Reporting and Conformance), which Agari's report said can virtually eliminate brand abuse through fraudulent email attacks and drastically reduces the risks of consumer loss, reputation damage and financial liability.

"A lot more people should be using DMARC because it allows administrators and organizations to be able to reject mail if it doesn't match certain parameters no matter where it says it's coming from," said Paul Ferguson, vice president for threat intelligence at Internet Identity.

[Also see: Spear phishing paves road for Advanced Persistent Threats]

Nevertheless, Ferguson was skeptical of the glowing grades given social media by Agari. "We see daily campaigns with emails harboring malicious content that's masquerading as DHL, Fedex, Dun & Bradsteet or social media like Facebook and Linkedin," he said.

In fact, social media may contribute to the problem by fueling a growing culture of interrupt-alerts that demand attention without forethought. "It allows bad guys to blend in with that noise," Ferguson explained.

Other sectors analyzed by Agari didn't fare as well as social media. "The most significant, but not at all surprising, discovery comes from financial services where there has been a huge spike in malicious activity, more than doubling from the prior quarter," the report said.

"In fact, consumers are seven times more likely to receive a malicious email from their bank than from any other type of company," it said.

Despite that spike, financial services still managed a Trust Score of 39.7, a seven percent jump over the previous quarter and significantly higher than the worst sector in the report: travel, with a score of 17.2.

"This sector, and the airlines in particular, is doing the least of all industries we analyzed to secure email and prevent their consumers from becoming victims of an attack," the report said.

"Even airlines like JetBlue that are well known for being leaders in delivering a better digital experience, are putting customers at risk with very little effort in preventing these types of attacks," the report added.

Agari also reported that many consumers do not realize that 95 percent of data breaches start with a phishing email. "I think we can safely say that after however years it has been, we've lost the battle of educating about threats," George Tubin, a senior security strategist with Trusteer, told CSOonline.

"We're just not going to be able to educate people to identify these things," he said.

"We need to keep educating, but the only way we're going to be successful with this is to fight these technology attacks with technology defenses," Tubin said. "We shouldn't be relying on human judgement to determine what's a legitimate email and what isn't."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicesapplicationsfinancesoftwareFinancial Servicesemail securityindustry verticalssocial mediainternetdata protectioncybercrimeData Protection | Malwarelegal

More about FacebookTrusteerTrusteerTrusteer

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts