The travel industry and large banks were the US industries most abused by spam and malicious email in the second quarter of 2014, according to Agari’s Email TrustIndex.
The Index (registration required) is a combined abstraction of two things. First, and most importantly, the extent to which each of the 147 well-known US brands and their industry sectors are targeted by spam and malicious email passing itself off as genuine.
A second dimension is how well these project email security using authentication standards such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authetication, Reporting and Conformance).
Banks have always been a favourite for cybercriminals – consumers are roughly 15 times more likely to be sent bogus or spoofed email abusing this sector than from an airline – but for some reason the travel industry shot up the index into third place after showing an 800 percent increase in abuse.
As for implementing email security, all sectors showed small but encouraging improvements, with the best performers being social firms (i.e Twitter, Facebook), e-tailers, payments and retail. Only seven firms achieved a ‘perfect’ 100 for email security; Capital One, DocuSign, Facebook, JPMorgan Chase, Netflix, Newegg and Twitter.
Technology-wise, SPF is used by 91 percent of the 147 firms, DKIM by 66 percent, and the most recent, DMARC by 38 percent, with the top-rated firms being the most likely to use Agari's recommended DMARC.
Interestingly, Agari makes some judgments about individual firms and their adoption – or lack of adoption - of email security. In retail, only one firm, Apple, was given top marks, with Target in the ‘under construction’ (improving) category. For e-tailers, Amazon, and Netflix were highly-rated while Rakuten and Market America were ‘easy targets’.
According to Agari, industries also varied quite widely in their implementation of email security; in the oft-exploited logistics sector, FedEx and UPS were given good marks while DHL and TNT Express weren’t.
Airlines were generally pretty terrible at implementing email authentication – 88 percent of that sector are described by Agari as ‘easy targets’.
Agari promotes DMARC, a recent technology through which servers can communicate whether the sender is using SPF or DKIM and how to treat emails that try to spoof email without implementing these security layers.
DMARC sn't without its complications - earlier this year Yahoo's implementation of it led to some criticism that it could outlaw legitimate maliling lists.