It's hard to quiet the voice of Paul McCartney when you read through Agari's latest study on The State of Email Trust. All you have to do is read the introductory paragraph of the report, which the security solutions provider released today:

Email security improved somewhat in 2014, but most companies still haven’t implemented technology that prevents cyber criminals from sending messages that appear to come from their domains — a failure that leaves customers vulnerable to phishing attacks." 

Think about that for just a moment — and odds are you, too, can visualize McCartney's words:

Someone's knockin' at the door
Somebody's ringin' the bell
Do me a favor,
Open the door and let 'em in." 

Businesses are unwittingly opening the door to cybercriminals who trick people into sharing sensitive information, leading to identity theft and other crimes. 

What's more, because victims of phishing attacks often blame the companies they thought sent the forged emails, the attacks erode the trust companies spend years building with customers.

Knock, Knock

Even if your mind works in a slightly more linear than lyrical fashion, the implications are clear. Just when you thought that everyone knew better than to fall for an email spoofing attack comes word of a surge that could give even the most seasoned email marketer nightmares. 

"The payments industry, including credit card and digital-wallet companies, saw a 23-fold increase in malicious email attacks against its customers between the second and fourth quarters of last year," Agari noted.

The findings are based on the Agari TrustIndex, a research study based on analysis of more than 6.5 billion emails each day throughout 2014.

The data shows that this is no time to be complacent about the risks of email spoofing attacks, said Agari CMO Kevin Cochrane. 

"We digital marketers and security professionals are all consumers. We have to work together — with utmost respect for data governance and privacy protection — to share information with one another and with government about cyberattacks so we can collectively safeguard consumers and prevent fraud," he continued.

It's a challenge, because cybercriminals are increasingly collaborating themselves on ever-more sophisticated attacks.

"As the White House cybersecurity summit showed, consumer protection is critical to ensuring our digital investments are a force for positive customer experiences and competitive advantage. Not protecting consumers is not an option," Cochrane said.

The State of Security

Agari distilled the report into three key takeaways:

  1. Healthcare companies and banks — companies with some of your most personal data — are not doing enough to protect customers against forged email messages.
  2. Email phishers and spammers spoof industries in swarms, moving from one sector to the next with little predictability.
  3. Companies slow to implement the leading email security protocols — especially DMARC, the newest — are most likely to be spoofing targets

The report notes that progress on the security side has been "steady but slow." While the use of the three major email authentication standards (SPF, DKIM and DMARC) increased, the fact that the standards are still not widely adopted is cause for concern.

SPF is an email authentication standard that lets companies decide which servers are allowed to send emails using their domain, the name that appears in a company’s dot com address.

DKIM is a more complete email authentication standard, offering improved sender verification.

DMARC adds an extra layer of security on top of SPF and DKIM. Companies that employ DMARC
publish a document (the DMARC record) on their servers that email service providers query whenever a user receives a message purportedly from that company. The DMARC record instructs email providers to send suspicious messages to a receiver’s spam folder or to reject them outright, which is the safest thing to do.

To get a sense of relative risks, take a look at the TrustScores of various industries in the image below. The TrustScore measures a company’s implementation of the three major email security protocols. As always with trust, a high level is better than a low level.


Companies scoring greater than 50 have at least some level of DMARC implementation. And 13 companies of 147 analyzed had perfect TrustScores in the fourth quarter last year:

  • Mega banks: Chase, Capital One
  • E-tailers: Newegg, Netflix
  • Social: Facebook, Twitter, Instagram, Pinterest
  • B2B: Docusign
  • Logistics: UPS, Fedex
  • Healthcare: Aetna
  • Payments: Western Union

DMARC guarantees that a user’s inbox will reject all emails it detects from spoofers, rather than just sending the message to spam or letting it through, Agari noted, explaining:

Unsurprisingly, internet giants in the social and e-tail sectors seem to have an especially strong grasp of email’s inherent vulnerability, and they’ve taken more steps than others to prevent email attacks against their customers."