Our quarterly analysis finds that business email compromise and brand impersonation scams continue to evolve at a relentless pace, and could even put major US presidential candidates at risk.

Download the report for our latest statistics, including:

  • Nearly 30% of BEC attacks now originate from compromised accounts
  • Employee-reported phishing attacks reaching SOCs surge 25%
  • DMARC adoption rises, but 90% of the Fortune 500 are still unprotected
  • Over 90% of current presidential candidates remain unprotected against email threats


Key Terms
A Taxonomy of Advanced Email Threats

With rising levels of cybercrime posing a serious threat to individuals, businesses, and governments, it is vitally important to codify a consistent set of terms to describe the different challenges that characterize this threat landscape. Not every email scam is a “phishing attack,” for instance.

To address this need, ACID has established a classification system for cyber threats—a threat taxonomy—that breaks down common email-based attacks in terms of how they are carried out and what the perpetrators aim to achieve. This taxonomy will help readers understand the terms used in this report and what they mean to email security.


For more information about the Agari Threat Taxonomy, see agari.com/taxonomy

Because email fraud centers around identity deception—the impersonation of trusted senders— in order to con recipients, we start with the method by which the impostor impersonates the trusted sender’s email account, making it appear as if the emails the impostor is sending are originating from the trusted party.

Leading Attack Modalities

Generally speaking, we observe three primary ways in which cybercriminals impersonate an email account:

LOOK-ALIKE DOMAINS AND DOMAIN SPOOFING: With look-alike domains, the cybercriminal registers a domain that is very similar to the legitimate domain he or she is seeking to impersonate. Look-alike domains are distinguished from domain spoofing, in which the attacker uses the actual email address of the impersonated identity in the “From” header—for example, “Company Customer Service.” Email authentication standards such as DMARC can be used by a domain owner to prevent spoofing of the domain, but are still not adopted widely by all businesses.

DISPLAY NAME DECEPTION: This happens when the cybercriminal inserts the name of the impersonated individual or brand into the “From” field within Gmail, Yahoo, or another free cloud-based email platform. These are also known as “friendly from” attacks.


COMPROMISED ACCOUNT ATTACKS: The cybercriminal sends targeted requests from an account that’s already been compromised— assuming the identity and the actual email account of the impersonated individual or brand, which is the most dangerous threat of all.

Different types or classes of attacks will entail different elements of this taxonomy.

A business email compromise (BEC) attack, for instance, can involve an impostor who aims to impersonate a trusted individual or brand using a look-alike domain, display name deception, or in the worst cases, a compromised legitimate account, leveraging sophisticated social engineering tactics to send highly personalized attacks. Impersonated individuals may be executives within the target’s own company, or an outside vendor or partner company. A BEC attack is targeted and uses a con with no URL or attachment.

By comparison, a phishing attack may use any identity deception technique and send more broad-based messages meant to fool someone into clicking on a malicious link that captures their username and password. When attacking businesses, display name deception is typically the tactic of choice for cybercriminals seeking to impersonate the email account of a trusted individual or brand.

Close button
Mail Letter

Would you like the confidence to trust your inbox?