Email Security Still a Struggle for Most Companies

email in inbox inbox internet mail communication 000003644536
Credit: iStockphoto

Banks and social media firms have taken steps to protect their customers from email scams, according to recent research. However, the travel and healthcare industries remain vulnerable. All the more troubling: Spam and phishing show no signs of going away.

Is that email really from your bank or airline? Or a hacker pretending to be?

Research from Agari, which provides email security and threat intelligence tools, shows which industries are constantly under attack – but deflect those attacks – and which industries still get a failing grade as they face increased hacker attention.

"Email is one of the criminal's best friends, and one of the most common ways that criminals use to go after their victims," says Patrick Peterson, founder and CEO of Agari. Hackers impersonate brands and try to get you to give them information in return, such as a username and password.

[ Commentary: Why Do We Keep Relearning the Same Security Lessons Again and Again? ]

Agari's quarterly report, which looks at 147 companies across 11 industries, evaluates two things. There's the TrustScore, which looks at the highest-volume email-sending domains for a company and then analyzes their implementation of common email authentication standards, including DMARC, DKIM and SPF. Then there's the ThreatScore, which calculates the volume of spam and potentially malicious email sent by hackers masking themselves as a certain company.

Your Bank Is Still a Target for Hackers

From the first to second quarter, Agari found an 8 percent improvement in trust scores across all industries. However, attacks against what Agari calls "mega banks" remained high.

"Attackers are looking to monetize," says Trey Ford, global security strategist for IT security firm Rapid7. "What's easier to monetize than cash? If I can act like I'm some major bank and get you to sign into my fake webpage, I can log in as you and move money around."

Because of this increased attention, banks have also adapted to protect their consumers against these threats, Peterson says. CapitalOne and JP Morgan Chase even appear in the so-called Agari 100 Club, which is reserved for companies that receive a TrustScore of 100. Facebook and Twitter also fall in that group.

"Social media and banks used to be some of the criminals' favorite targets," Peterson says. Those industries have come a long way in their efforts to protect consumers. People now know how to tell if an email from a financial institution "looks a little funny" and shouldn't be trusted, he adds. "Criminals found out that those were much harder targets to impersonate."

That hasn't stopped the criminals, though – JP Morgan and other banks were allegedly hit by Russian hackers last week in an attack that may have been politically motivated.

Email Hackers Now Hitting Travel, Healthcare

So where did criminals turn? The travel industry. It experienced an 800-percent jump in threats between the first and second quarters of the year. Agari's report says travelers are "natural" targets for social engineering, a type of security intrusion that plays on human behavior and emotion.

[ Related: Spammers' Top Spoofing Targets Still Finance, Travel Industries ]

"As criminals started to look for a new weak link, they found that travel was incredibly successful," Peterson says. "They've been plowing a lot of their efforts and investments into making more and more improvements spoofing an itinerary."

In a 2014 scam, hackers pretended to be Delta Airlines, emailing consumers to say, "Your credit card has been successfully processed," and to provide flight information. Peterson also points to large-scale attacks using Expedia, Airbnb and Booking.com as fronts – all with the goal of either getting your log-in information or installing malware on your machine.

Ford says he's not surprised – not just because of the potential information that hackers can get through setting up fake travel-related sites but because of what travel does to people. Road warriors who frequently travel for work have lowered their barriers, Ford says: "When you get really tired, you do stupid things."

Mobile devices and travel don't always mix well, either. Ford says he's "fairly aggressive" in the security set up of his laptop, but "when I read an email on my phone, I don't have all of those controls. I'm a lot more vulnerable to phishing and [other] attacks – especially when I'm tired."

The good news is that airlines specifically had a 17-percent jump in their TrustScores. "It's very easy when you start from zero to make 17-percent progress," Peterson says, but he points to Delta as a "breakout star" for reacting quickly and effectively after being targeted.

[ More: Community Health Breach Highlights Healthcare Security Vulnerabilities ]

Healthcare also performed poorly, earning the lowest TrustScore out of all industries. Out of 14 healthcare companies analyzed, 13 were classified as easy targets for cybercriminals, suggesting that healthcare security remains lax.

Email Security a Modern Game of Whac-a-Mole

Overall, the TrustScore for the companies that Agari studied increased 8 percent in the second quarter. Peterson describes it as a "sea change," adding, "These are big companies. Making changes is hard for them."

As the major banks learned, however, that doesn't mean these attacks will stop. "Criminals have so many tricks up their sleeve," Peterson says, "and have a new one every day."

Progress is good, but big companies still need to be on alert for whatever's next.

[ Survey: More Than 40 Years Later, Email Security Remains Elusive ]

"Spam is a problem and we still don't have it solved. Phishing is a problem and we still don't have that solved," Ford says. "These [hackers] are businessmen and businesswomen. They're incentivized to be successful. They're going to keep reiterating this game of cat and mouse."

Insider Resume Makeover: How (and When) to Break the Rules
Join the discussion
Be the first to comment on this article. Our Commenting Policies