To address this need, ACID has established a classification system for cyber threats—a threat taxonomy—that breaks down common email-based attacks in terms of how they are carried out and what the perpetrators aim to achieve. This taxonomy will help readers understand the terms used in this report and what they mean to email security.
For more information about the Agari Threat Taxonomy, see agari.com/taxonomy
Because email fraud centers around identity deception—the impersonation of trusted senders— in order to con recipients, we start with the method by which the impostor impersonates the trusted sender’s email account, making it appear as if the emails the impostor is sending are originating from the trusted party.
Generally speaking, we observe three primary ways in which cybercriminals impersonate an email account:
LOOK-ALIKE DOMAINS AND DOMAIN SPOOFING: With look-alike domains, the cybercriminal registers a domain that is very similar to the legitimate domain he or she is seeking to impersonate. Look-alike domains are distinguished from domain spoofing, in which the attacker uses the actual email address of the impersonated identity in the “From” header—for example, “Company Customer Service.” Email authentication standards such as DMARC can be used by a domain owner to prevent spoofing of the domain, but are still not adopted widely by all businesses.
DISPLAY NAME DECEPTION: This happens when the cybercriminal inserts the name of the impersonated individual or brand into the “From” field within Gmail, Yahoo, or another free cloud-based email platform. These are also known as “friendly from” attacks.
COMPROMISED ACCOUNT ATTACKS: The cybercriminal sends targeted requests from an account that’s already been compromised— assuming the identity and the actual email account of the impersonated individual or brand, which is the most dangerous threat of all.
Different types or classes of attacks will entail different elements of this taxonomy.
A business email compromise (BEC) attack, for instance, can involve an impostor who aims to impersonate a trusted individual or brand using a look-alike domain, display name deception, or in the worst cases, a compromised legitimate account, leveraging sophisticated social engineering tactics to send highly personalized attacks. Impersonated individuals may be executives within the target’s own company, or an outside vendor or partner company. A BEC attack is targeted and uses a con with no URL or attachment.
By comparison, a phishing attack may use any identity deception technique and send more broad-based messages meant to fool someone into clicking on a malicious link that captures their username and password. When attacking businesses, display name deception is typically the tactic of choice for cybercriminals seeking to impersonate the email account of a trusted individual or brand.