Email from social media safest, financial services riskiest

Email from social media brands is some of the safest on the Internet, while electronic posts from financial services brands is some of the riskiest, says a report released this week by an email security provider.

“Consumers may be worried about their privacy settings, but in terms of protecting consumers via email, social media is the clear leader,” said the report from Agari, which analyzed more than a trillion emails during the second quarter of this year.

Agari uses that analysis to create a Trust Index for email in financial services, e-commerce, social media, travel, logistics and gaming industries.

The index is based on a Trust Score — a reflection of the  adoption and deployment of security measures in an industry to protect its customers from malicious email — and a Threat Score — which provides a measure of relative risk based on malicious activity and attempted attacks.

Social media led all industry sectors during the June quarter with a Trust Score of 73.1, out of a possible 100.

Ranking companies and industries based on the ThreatScore, and TrustScore benchmarks gives consumers and leading brands visibility into how aggressively a sector is being threatened and which companies are taking action to secure email and protect consumer data and trust, the report explained.

“Social media has been far more aggressive about protecting their customers and far more responsive to keep up with the technologies available to protect their customers,” Agari founder and CEO Patrick Peterson said in an interview.

Among those technologies is DMARC (Domain-based Message Authentication, Reporting and Conformance), which Agari’s report said can virtually eliminate brand abuse through fraudulent email attacks and drastically reduces the risks of consumer loss, reputation damage and financial liability.

“A lot more people should be using DMARC because it allows administrators and organizations to be able to reject mail if it doesn’t match certain parameters no matter where it says it’s coming from,” said Paul Ferguson, vice president for threat intelligence at Internet Identity.

[Also see: Spear phishing paves road for Advanced Persistent Threats]

Nevertheless, Ferguson was skeptical of the glowing grades given social media by Agari. “We see daily campaigns with emails harboring malicious content that’s masquerading as DHL, Fedex, Dun & Bradsteet or social media like Facebook and Linkedin,” he said.

In fact, social media may contribute to the problem by fueling a growing culture of interrupt-alerts that demand attention without forethought. “It allows bad guys to blend in with that noise,” Ferguson explained.

Other sectors analyzed by Agari didn’t fare as well as social media. “The most significant, but not at all surprising, discovery comes from financial services where there has been a huge spike in malicious activity, more than doubling from the prior quarter,” the report said.

“In fact, consumers are seven times more likely to receive a malicious email from their bank than from any other type of company,” it said.

Despite that spike, financial services still managed a Trust Score of 39.7, a seven percent jump over the previous quarter and significantly higher than the worst sector in the report: travel, with a score of 17.2.

“This sector, and the airlines in particular, is doing the least of all industries we analyzed to secure email and prevent their consumers from becoming victims of an attack,” the report said.

“Even airlines like JetBlue that are well known for being leaders in delivering a better digital experience, are putting customers at risk with very little effort in preventing these types of attacks,” the report added.

Agari also reported that many consumers do not realize that 95 percent of data breaches start with a phishing email. “I think we can safely say that after however years it has been, we’ve lost the battle of educating about threats,” George Tubin, a senior security strategist with Trusteer, told CSOonline.

“We’re just not going to be able to educate people to identify these things,” he said.

“We need to keep educating, but the only way we’re going to be successful with this is to fight these technology attacks with technology defenses,” Tubin said. “We shouldn’t be relying on human judgement to determine what’s a legitimate email and what isn’t.”