Spoofed mails and mail domains and spear-phishing are common webmail bugaboos, but unfortunately, online companies are not doing everything they should to prevent hackers from impersonating their messages and sites. According to the Online Trust Alliance (OTA), only 8.3% of emails from nearly 800 top consumer websites passed muster as being trustworthy—and thus 91.7% failed.
Further, OTA’s report revealed the overwhelming majority of businesses and government agencies are not following adequate steps in the form of implementing adequate security protocols to help ensure consumers and business partners can discern if emails coming from their domain are genuine or forged.
As far as which sectors are doing better than others, in its 2014 Email Integrity Audit report, which includes its Email Trust Scorecard, OTA found that emails from social media companies are the most trustworthy, while federal agencies unfortunately appear to be the least, with all sectors failing significantly to adopt email security best practices.
Specifically, the percentage of companies passing the OTA Email Trust Scorecard broke down as follows:
- 28% of the top 50 social media companies
- 17% of the top 100 financial services companies
- 14% of the top 100 Internet retail companies
- 6% of the top 50 news companies
- 6% of the top 500 Internet retailers
- 4% of the top 50 U.S. government agencies
“When organizations implement specific email security protocols, the results are increased consumer protection from receiving malicious and fraudulent email, strengthened brand reputation, and enhanced deliverability of legitimate email,” said OTA executive director and president Craig Spiezle, in a statement. “Despite the obvious benefits, the majority of organizations have yet to adopt practices comprehensively, putting consumers and their brands at risk.”
Those best practices hinge on protocol implementation. The Scorecard measures the adoption of three critical email security protocols: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC).
By utilizing email authentication, organizations can help protect their brands and consumers from receiving forged email. Both DKIM and SPF are email authentication protocols designed to detect email spoofing by providing a mechanism to allow receiving mail servers to confirm the authenticity of the email. Building on SPF and DKIM protocols, DMARC adds a policy assertion providing receiving networks (ISPs and corporate networks) direction on how to handle messages that may fail authentication. Equally as important, DMARC provides a reporting mechanism back to the brand/domain owner.
“Over 400 million Microsoft users worldwide are realizing the benefits of SPF, DKIM and DMARC,” said John Scarrow, general manager of safety services at Microsoft. “As email threats and spear-phishing grow, every business should make email authentication a priority to help protect their consumers, their employees and their brands.”
OTA noted that the approaches work. For instance, the report showed that implementing DMARC stopped nearly 25 million attempted attacks on PayPal and eBay customers. “Not only is DMARC shutting down spoofed domain attacks, but it has also cut the overall volume of daily attacks in half since 2012,” said Trent Adams, senior advisor on email security for the companies, in the report.
In addition to implementing SPF, DKIM and DMARC, OTA also recommends adopting Transport Layer Security (TLS) technology and clear unsubscribe policies in order to enhance consumer trust. TLS is a protocol that encrypts and delivers mail securely thus helping prevent eavesdropping on and spoofing emails.