SendGrid, Inc. (NYSE: SEND), a leading digital communication platform that drives engagement and growth, is the first email service provider (ESP) to announce its Inbox Protection Rate publicly in an effort to increase cybersecurity and privacy transparency and to elevate the cause of inbox protection. SendGrid’s Inbox Protection Rate measures the success of its compliance efforts to prevent malicious email from reaching SendGrid’s approximately 2 billion email recipients. As of December 12, 2018, SendGrid achieved a 99.97% legitimate email rate across all of its outbound mail flow.
Protecting the inbox has become increasingly important as phishing emails remain one of the dominant methods that cyber criminals use to access users’ most guarded credentials. Many major data breaches begin with fraudulent email; cyber criminals will exploit a poor mail configuration to send fake emails purporting to be the targeted sender. FireEye’s recent Email Threat Report asserted that less than a third (32%) of email traffic seen in the first half of 2018 was considered ‘clean’ and actually delivered to an inbox. The report also found that 1 in every 101 emails had malicious intent.
Rising Holiday Email Volumes
Email security and awareness is especially critical around the holidays when retail and eCommerce brands are sending markedly higher email volumes. SendGrid processed 2.8 billion emails on Black Friday 2018 and 2.9 billion emails on Cyber Monday 2018 on behalf of its customers, marking its two largest sending days ever. As email volumes rise, cyberattacks are expected to jump by nearly 60% this holiday season, compared to other months throughout the year, according to Carbon Black’s new Holiday Threat Report.
“More companies are choosing to outsource their email sending to third party ESPs like SendGrid to handle their transactional and marketing email services at scale. On a rolling 90-day basis, SendGrid touches one half of the world’s unique email users estimated at 2 billion people,” said Scott Gerlach, Chief Information Security Officer at SendGrid. “Because we operate at such high scale, SendGrid is committed to and responsible for maintaining a clean, phish-free mail flow by investing heavily in our people, process and technology. We have made a commitment to our customers and the email ecosystem to further email security transparency and educate the market on phishing attacks.”
Maintaining legitimate mail flow requires both a technical understanding of the highly sophisticated filtering schemas employed by the receiving domains and mailbox providers, and a human talent for diagnosing non-delivery events and remediating them either through technical changes or modifications of marketing tactics. SendGrid protects its customers from email phishing by:
- Automated machine learning and artificial intelligence defenses spanning several key areas that include the stages of a customer’s lifecycle with SendGrid, user behaviors while using SendGrid, and the actual content that is processed by SendGrid on behalf of its users.
- Neural network to mitigate the ability of phishers to sign up for SendGrid’s service.
- Proprietary machine learning systems that are trained to differentiate the characteristics between legitimate and fraudulent emails to prevent phish from leaving SendGrid.
- Intelligent traffic cop that watches the mail flow from new accounts to ensure anomalous or large deployments are slowed or stopped, when necessary. The algorithm and process used to build this traffic cop were patented in 2017 by SendGrid’s lead data scientist, Dr. Aaron Beach, and former SendGrid co-founder, Tim Jenkins.
“By setting benchmarks for the effectiveness of our security and protection efforts, we can better understand how spammers and cyber criminals evolve their attacks to further protect our customers and, in turn, their customers,” said Len Shneyder, VP of Industry Relations at SendGrid. “Compliance is not a destination, compliance is an ongoing function that not only safeguards SendGrid’s more than 78,000 paying customers but the billions of recipients that have subscribed to receive emails from these businesses. The onus is on us as ESPs to prevent abuse of our email infrastructure, mitigate the cascading damages it can cause and educate our customers.”
Definition of Phishing
Phish is defined as email messages used to fraudulently obtain confidential information such as credit card numbers, passwords, or other personal data.
Inbox Protection Rate Methodology
The Inbox Protection Rate is a measure of email that transits SendGrid’s servers deemed to be legitimate, non-phishing email sent by legitimate businesses. The Inbox Protection Rate is not a measure of spam or how that email is received since spam is subjective however, there is nothing subjective about phish. In addition to analyzing outbound messages SendGrid analyzed email bounces indicative of phishing and other forms of delivery issues.
Sent phish is determined by manual reviews of suspended accounts for phishing content. Each account found to contain phishing content is terminated and tagged as phish. SendGrid then counts the sum of messages delivered via tagged accounts as phish, and incorporates the phish into its automated defenses to improve their efficiency, robustness and detection rate.
To learn more about SendGrid’s Inbox Protection Rate, visit our blog. For additional information about email phish and other email scams, visit SendGrid’s Phishing, Doxxing, Botnets, and Other Email Scams guide.