62% of Phishing, Business Email Compromise (BEC) and Other Email Attacks Now Involve Display Name Deception—Microsoft, Amazon impersonated in majority of identity deception attacks
(Part 1 of 3)
Display name deception techniques are now used in a majority of business email compromise (BEC) scams and other advanced email attacks targeting a growing number companies, according to the Q4 2018 Email Fraud and Identity Deception Trends Report from Agari.
Based on Agari data captured from July through October, the report finds 62% of all email attacks against businesses now involve cybercriminals committing impersonation fraud by inserting the name of a trusted individual or brand into the “from sender” field of fraudulent emails sent via Yahoo, Gmail, or other cloud-
based email platforms.
The objective: fool recipients into coughing up login credentials or making payments for fraudulent invoices by creating the illusion that they are reacting to a trusted sender.
Some of these attacks include malicious links. Others hide malware in attachments. But the most pernicious involve nothing more than plaintext messages that are masterfully targeted and personalized for maximum effectiveness. And it’s proving to be well worth the effort.
The Scam is in the Mail
Indeed, the Agari report comes amid heightened concerns over BEC fraud and other email-based threats, thanks in part to an October filing from the SEC regarding a recent investigation involving nine publicly- traded companies that were swindled out of $100 million through such scams.
One of these companies made 14 separate wire transfers for fake invoices over the course of several weeks—racking up $45 million in losses. Another paid out $30 million. But how is it possible that these and so many other businesses can be bamboozled out of millions of dollars on multiple occasions through fraudulent email messages? You might be surprised.
The fact is, email remains the most vital communications and collaboration tool in business, bar none. And despite the rise of secure messaging services such as Slack and HipChat, 63% of corporate employees turn to email to send sensitive information.
But for all of this, email has a monumental security flaw: the ability for anyone to send messages claiming to be someone else. And it’s this lack of built-in authentication that has opened businesses to phishing, BEC cons, and other advanced mail attacks—resulting in more than $12.5 billion in losses over the last
Fraud on Display
So how are they pulling it off? According to the Q4 report, 54% of all display name deception attacks now involve fraudsters sending emails purporting to come from a well-known business brand.
Not only is Microsoft impersonated in nearly 36% of all attacks (Amazon is second, at nearly 27%), but the brand is impersonated in more than 70% of attacks against high-value executive targets such as C-suite executives.
Typically, socially-engineered ploys include fraudulent service updates, security alerts, and password resets designed to build a sense of urgency.
Meanwhile, 8% of display name attacks entail spoofing the identities of specific individuals—typically a key executive at the targeted company or one of its suppliers. Here, late day messages—”Are you still at your desk?” for instance—are very common. The fact that 59% of email is consumed on mobile devices helps to boost the effectiveness of these attacks.
Why? For one thing, most mobile email clients use only the display name as a default—not the full address. Recipients pressured to act quickly while out of the office may be less likely to dig further before reacting to messages that appear pressing.
Another 35% of email attacks captured in the report leveraged lookalike domains, where criminals register domains that are very similar to the ones they are spoofing. And then there is the still small but alarming 3% of email attacks stemming from hijacked accounts belonging to the individual being impersonated.
These compromised account-based schemes are by far the most difficult to ferret out. What’s more, the growing market for stolen email credentials on the dark web means this form of attack is likely to become more prominent—and more destructive—in coming months.
The rising volume and severity of new email attacks is unrelenting. As it stands now, nearly 6.5 billion fraudulent emails are sent each day. More than 92% of companies report being hit by targeted email attacks in just the last 12 months.
Yet it remains unclear how many businesses have implemented modern, machine learning-based technologies with the behavioral analytics capabilities needed to recognize even the most sophisticated plaintext email scams through analysis of the relationships between senders and receivers.
But that’s not all. As we’ll discuss in Part Two and Three of this series, as hard as these attacks can be on businesses, another group has it worse: your customers.
As you’ll see, what you don’t know about how cybercriminals are impersonating your own brand to scam consumers and businesses—including your customers—can lead to painful revenue losses, regulatory fines, damage to your brand reputation, and more.
To learn more about phishing, business email compromise (BEC) scams, and other advanced email threats, download a FREE copy of the Q4 2018 Email Fraud and Identity Deception Trends Report from Agari.