• Robert Holmes, General Manager, Email Fraud Protection at Return Path


• 03.05.2016 10:30 am
Banking , security

The financial industry continues to be a top phishing target for cybercriminals. During the third quarter of 2015, 34 percent of phishing attacks worldwide were directed towards financial institutions and payment services organizations.

This email fraud not only impacts revenue, but also damages consumer trust, which, according to research by SAS, executives rate nearly twice as high as monetary loss. As well they should. Customers are 42% less likely to interact with a brand after being phished or spoofed. And one third of consumers would stop dealing with a business following a cyber-security breach, even if they do not suffer a material loss, according to Deloitte. 

Securing email presents a big business opportunity 

However, despite its vulnerability, email also presents a huge opportunity for financial institutions. According to research by TSYS, email is by far the preferred way in which consumers like to hear from their banks. 

With phishing scams and data breaches making headlines literally every day, any financial organisation that proactively defends their customers from email fraud will gain an invaluable competitive advantage. 

So how do you secure one of the most vulnerable threat vectors used by cybercriminals today? Start with authenticating your email messages. 

How to combat email fraud 

There are three important email authentication protocols: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance). At the highest level, these mechanisms ensure legitimate messages are delivered and malicious messages (purporting to be from legitimate brands) are blocked before they reach consumer inboxes. 

Unfortunately, the vast majority of banks are not implementing robust email authentication standards. According to the latest DMARC research by Return Path of the top 1,000 brands around the globe, the banking sector has a DMARC adoption rate of just 27 percent, far below that of social media (59%), technology (51%), and logistics (41%). 

However, while individual companies aren’t moving as quickly to secure the email channel as we might like, industry leaders and mailbox providers are starting to set the email security bar very high. 

The benefits of .bank 

The recent launch of the .bank registry, for example, holds great promise for improved security for the financial industry. The .bank registry mandates the implementation of DMARC to ensure that email attacks coming from spoofed domains are blocked before they reach their intended victim.  

The types of domains that can be registered, and who can apply to the registry are among a large number of stringent security measures mandated by the registry. This stands in contrast to the widely used .com domains, which can be registered by anyone, regardless of identity, rights or intent. With .bank, consumers will have a higher degree of confidence when communicating with their financial institution. 

Email authentication is becoming a prerequisite 

Email receivers are also starting to enforce email authentication. Gmail recently announced that if a user receives a message that can’t be authenticated with either SPF or DKIM, the sender’s profile photo or avatar will be replaced with a red question mark, a warning sign that the user should not to engage with the message. This has major implications for marketers, who depend on email engagement to deliver leads and revenue. 

Eventually, all financial institutions will be required to authenticate their email if they want to continue using it as a secure channel to communicate with their customers. 

Today, of all the industries affected by the phishing epidemic, banking establishments have been hit the hardest. Fraudsters are targeting customers of financial services organisations with emails spoofing legitimate banking brands. With 97% of consumers unable to identify a phishing email, fraudsters will continue to defraud unsuspecting consumers. It is every financial organisation’s responsibility to proactively defend their customers against email fraud and protect their brand at all costs.