UK's biggest firms still falling down on anti-phishing security

SPF and DKIM popular, DMARC less so

Leading UK firms are still failing to implement basic layers of email security to protect themselves from brand abuse and their customers from phishing attacks, email vendor Agari has reported in its latest Q3 ranking.

The firm has previously focussed on the state of email security among US firms finding a mixed picture with some sectors doing well and others lagging. It turns out that things are generally worse in the UK, with three quarters ranked as "easy targets" in terms of best practices.

Brands rated as easy included Barclays, Deutsche Bank, Royal Bank of Scotland, Virgin Money, Tesco, Ladbrokes, William Hill, Sky/Sky Bet, Shop Direct, Schroders, and, unexpectedly, department store-cum-middle class religion, John Lewis.

Middle rankers - described as 'under construction' - included Sainsburys, KBC Bank, Wonga, and Rental Cars. No firm made the top rung, 'rock stars'.

The two obvious questions are how Agari comes up with these ratings and what motivates some firms to be so much better at securing themselves and their customers from email and phishing abuse than others.

The ratings are based on a mixture of how often domains are targeted by phishing and other spoofed attacks and the extent to which the brands implement email security on key domains to fight back against this abuse.

On this assessment, the use of the technical standards matter. SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) have been around for years and are a bare minimum these days, while the more recent DMARC (Domain-based Message Authetication, Reporting and Conformance) is now considered advisable.

Staggering to report but some of the brands assessed didn't implement any of these - stand up Deutsche Bank while several others did but forgot about DKIM and DMARC.

According to Agari's founder and CEO, Patrick Peterson, younger firms specialising in online sales and social media tended to be better, most likely because email issues were front of mind. Older firms and the banking sector in particular seemed less likely to bother.

"The findings of this Email TrustIndex indicate that many UK businesses are still not taking the necessary steps to protect their customers from email-borne phishing attacks," said Peterson.

"Indeed, it's concerning to see that so many well-established organisations, including leading banks and retailers, are easy targets."

Email's gaping hole was its lack of authentication. A given email could come from anyone and there is no way of telling whom. SPF, DKIM and DMARC was attempts to retrofit some of this security on to email.

"While there are a select few organisations that are starting to adopt all three standards, a number of them are only implementing one or two, with SKY, Ladbrokes and Deutsche Bank not progressing with any of the three. This isn't good enough. Only by providing comprehensive email authentication that includes SPF, DKIM and DMARC, will organisations be defending their reputation and fulfilling their responsibility to their customers."

Join the CSO newsletter!

Error: Please check your email address.

Tags Royal Bank of ScotlandDeutsche BankLadbrokessecurityWilliam HillShop DirectAgariTescoBank of Scotland

More about Deutsche BankKBCRoyal Bank of ScotlandTesco

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts