Email Security Blog

New Research Shows 61% of Employee-Reported Phishing Emails are False Positives

Art Chavez April 22, 2021 Incident Response

A year into the pandemic, Security Operations Centers (SOCs) are getting bombarded by employee-reported phishing attacks both real and imagined—as legitimate threats slip by unnoticed, according to analysis from our latest cross-industry phishing response survey.

Long before any of us had ever heard the term “COVID-19,” phishing was implicated in nearly 7 in 10 corporate data breaches, prompting organizations to give employees the ability to forward suspicious emails to SOC teams with ease.

As part of our H1 2021 Email Fraud & Identity Deception Trends Report, the Agari Cyber Intelligence Division (ACID) surveyed aggregate data from over two dozen client organizations with an average of 21,000 employees. The findings show that from July through December 2020, the email threat landscape expanded to the homes of millions of corporate employees, making many a little quick on the trigger.

During the second half of 2020, SOC analysts were bombarded with more employee-reported phishing incidents than they could possibly handle. As our survey reveals, the time-intensive tasks required to analyze, triage, and remediate those incidents were exacerbated by a staggering 61% false positive rate—even as more legitimate threats hit home

Phishing: Hook, Line & Sinker

None of this comes as a surprise. Our mass experiment in working remotely via home Internet connections and personal computers has provided email threat actors with new avenues for infiltrating corporate networks. As cybercriminal opportunities grow, so does the corresponding financial losses.

According to Ponemon Institute’s 2020 Total Cost of a Data Breach Report, the average costs associated with a data breach top $8.6 million per incident for US-based companies. But this estimate comes with an asterisk. Ponemon finished collecting data for the report in April, just as many shelter-in-place mandates were being implemented to counter the outbreak.

Ponemon warns that large-scale remote working is likely to have increased breach costs by another $137,000 per incident. Yet as bad as that sounds, the financial and reputational damage can be far more calamitous. Just ask Facebook, Google, or any of the other businesses that have suffered breaches stemming from successful phishing attacks.

It doesn’t help that one in five employees fall for malicious emails, or that two-thirds of them will go on to provide credentials to the attackers. But you want to know the weirdest aspect about all this? When they aren’t clicking on actual phishing attacks, employees are forwarding legitimate emails—lots of them—to the SOC team for fear they’re fraudulent.

According to the organizations in our survey, employee-reported phishing incidents topped 65,898 during the second half of 2020. The fact that 40,197 of them were ultimately deemed false positive means valuable time was wasted chasing down harmless emails while true phishing attacks remained active threats—increasing the chances of a costly breach.

Manual Reporting: Too Much and Never Enough

According to Ponemon, the average time-to-containment for breaches was already 280 days before the pandemic—and 76% of companies say remote working is likely to make this worse. But thankfully, it’s not all doom and gloom.

Client organizations in our survey report that automated response technologies are helping them prevent most infiltrations from ever happening, while collapsing time-to-containment for those that do—from weeks or months down to just minutes.

Out of 13,989 verified phishing emails reported during the second half of 2020, companies with automated phishing response processes successfully identified 19,239,914 additional email threats that were similar, or directly related, to those reported by employees.

After review, 972,347 of those were verified as malicious. That’s 88 times more verified malicious emails than those identified through manual reporting alone.

Organizations utilizing continuous detection and response (CDR) technologies that leverage shared threat intelligence fared even better. During the second half of 2020, these organizations identified more than 21,712 malicious messages beyond those detected through automated phishing response alone. And another 724 unique events were identified solely through these technologies.

Why is this so key? Because CDR helps sniff out latent threats that have evaded early detection through new forms of identity deception, dormant payloads, or “time-bombed” URLs that redirect only after they’ve been delivered to employee inboxes. By analyzing company-wide email metadata, these technologies forensically recognize and remove these email threats from all inboxes automatically.

Speed: Snatching Victory from the Jaws of Deceit

For organizations in our survey, the only thing better than sniffing out more phishing emails to avoid breaches is being able to do it faster.

During the second half of 2020, data from client organizations shows that legitimate phishing attacks reported by end users were remediated within 38 minutes through the aid of automated response technologies—which prioritize incidents based on potential impact to the organization and identifies all affected employees.

To put that into perspective, studies from Aberdeen show there’s a 30% chance of a first-user click on a malicious email within 60 seconds of delivery. With the social engineering tactics used in phishing attacks growing more cunning and efficacious by the day, “every last second counts” may be the understatement of the year.

To learn more about the phishing response survey and other email security trends, download your copy of the H1 2021 Email Fraud and Identity Deception Report.

Security Analyst Working In Operations Center

August 25, 2020 Crane Hassold

Employee-Reported Phishing Attacks Climb 65%, Clobbering SOC Teams

Scams related to COVID-19 helped fuel a 65% increase in employee-reported phishing attacks during the…

Agari Blog Image

October 3, 2019 Michael Cichon

Expect Increased SOC Costs from Jump in Employee-Reported Phishing Incidents

Awareness. Detection. Containment. Remediation. All necessary steps in the phishing incident response process for SOC…

Agari Blog Image

June 4, 2019 Michael Cichon

SOC Costs Double as Employee-Reported Phishing Surges 25%

A 25% spike in employee-reported phishing attacks during the first quarter of 2019 has increased…

mobile image