Our quarterly analysis finds that business email compromise and brand impersonation scams continue to evolve at a relentless pace, and could even put major US presidential candidates at risk.

Download the report for our latest statistics, including:

  • Nearly 30% of BEC attacks now originate from compromised accounts
  • Employee-reported phishing attacks reaching SOCs surge 25%
  • DMARC adoption rises, but 90% of the Fortune 500 are still unprotected
  • Over 90% of current presidential candidates remain unprotected against email threats


Employee Phishing and Business Email Compromise (BEC)

Key Findings

An unfortunate increase of 35% means that 27% of advanced email attacks spawn from compromised accounts of trusted individuals and brands.

When targeting execs and high-value employees, attackers moved decisively to impersonating specific individuals in 37% of all email attacks, versus previous trends of impersonating common brands.

As a sign of growing sophistication and targeting inherent to BEC attacks, 20% of deceptive emails observed were personalized to include the name of the recipient in order to make them seem more legitimate.

Patterns of Deceit
Attacks from Compromised Accounts Continue to Surge

More than a quarter of advanced email attacks are now launched from the compromised accounts of trusted individuals and brands—up 26% in just ninety days.

‘From’ Line Fraudsters: Identity Deception Tactics are Evolving Fast

Today, 53% of all phishing attacks employing identity-deception tactics use a display name intended to impersonate a trusted individual or brand in order to defraud an outside supplier, a customer, or other businesses—down from 63% in the previous quarter.

In most cases, attackers favor impersonating trusted brands at 34% over individuals at 19% of all attacks. But while both of these tactics attempt to deceive a recipient by impersonating a known entity, the purpose is typically very different for each.

Generally speaking, malicious emails that impersonate trusted brands are associated with credentials-harvesting attacks, while phishing emails spoofing specific individuals are typically linked to socially-engineered, recipient response-oriented attacks such as BEC or executive spoof scams.


The thing that is most notable this quarter is the continued increase in the use of compromised email accounts. From January through March 2019, 27% of all identity-deception attacks were launched from the compromised email account of a trusted individual or brand. That’s up from 20% in just three months, making this the second-most frequent type of identity-deception technique.

Legitimate email accounts that have been taken over by scammers can be a crushingly effective way to distribute phishing emails because they are, in a sense, trusted—allowing them to bypass mail filters more easily. The impact of this attack type cannot be overstated.

Attacks launched from compromised email accounts are by far the hardest to detect and disrupt, making them a serious vulnerability for the account’s legitimate owner and the companies involved. Indeed, a successful account takeover does not just give fraudsters the ability to impersonate the account’s owner. It also gives them access to the individual’s contacts, ongoing email conversations, and historical email archives—making it possible to craft new scams made all the more galling by their extraordinary personalization and crushing effectiveness.

Meanwhile, the remaining 20% of identity-deception emails use look-alike domains to send malicious content. While some of these domains can be simply spoofed and sent using basic mailing tools, many are actual domains registered by phishing threat actors.

C-Suite Phishing Trends
High-Value Executives See Rise in Identity Deception Attacks Impersonating Individuals

During the first quarter of 2019, display name deception used to impersonate specific individuals was used in 37% of all email attacks targeting senior executives, compared to just 19% in overall malicious email campaigns.

The distribution of tactics used in phishing attacks diverges significantly from those used when targeting other employees. During the first quarter, display name deception used to impersonate specific individuals, the least common tactic among malicious emails overall, was used in the majority of phishing emails targeting the high-level executives. This dichotomy is driven by BEC scams that target CFOs and other financial executives with malicious emails appearing to be sent from an executive like the CEO, making this one of the most pernicious cyberthreats facing the enterprise.


For more information on how cybercriminals target the C-level, see agari.com/londonblue

C-Suite Phishing Trends
The Use of Free Accounts, Look-alike Domains, and Personalization

This past quarter, the Agari Cyber Intelligence Division took an in-depth look at the tactics used by threat actors in BEC campaigns, one of the costliest forms of phishing attacks businesses face today.

67% of Attacks are Launched from Free Webmail Accounts

What makes today’s BEC campaigns so dangerous is that they can exact eye-popping returns with very little effort or overhead. Because emails used in these attacks do not contain malicious links or payloads, they easily bypass most common security controls in use today.

And in the vast majority of cases, BEC attackers use free and temporary email accounts to launch their campaigns. In fact, our data shows that two-thirds (67%) of BEC emails are sent from an easily-acquired webmail account.


In the first quarter of this year, the most commonly used email provider in these attacks was Roadrunner (rr.com), accounting for 15% of all BEC campaigns. AOL and Gmail ranked as the second and third most commonly used webmail providers for creating accounts used to send BEC phishing emails.

The Advantages of Look-alike Domains in BEC Scams

Twenty-eight percent of BEC campaigns in the first quarter were sent from email accounts hosted on a domain registered by the attacker. While there is usually a cost associated with registering a domain, the ability to create a more authentic-looking email address for use in attacks is worth the price for some.

Meanwhile, compromised email accounts belonging to other individuals or brands accounted for the remaining 5% of BEC attacks.

Regardless of the point of origin, the display name used in these attacks is almost always changed to impersonate a senior executive at target organizations.


Top 10 Subject Lines for Business Email Compromise Scams

Curious what a business email compromise scam actually looks like? In most cases, the initial email in a BEC attack is very brief and designed to elicit a response from a targeted recipient.

Similarly, the subject lines of BEC emails are frequently very generic, so as not to arouse suspicion. But they nearly always contain specific keywords meant to generate urgency.

In fact, 1 in 4 BEC emails observed over the past three months contained one of three words in the subject line: Quick, Request, or Urgent.


A Growing Number of BEC Emails are Personalized

Today, 20% of BEC emails are personalized to include the name of the recipient in order to make them seem more legitimate. Rather than receiving a completely generic message, referencing the target’s name serves to lower a recipient’s defenses and lessen the likelihood they’ll recognize the scam.

Personalization also demonstrates the level of reconnaissance some cybercriminal organizations conduct prior to launching their malicious campaigns.

Instead of simply scraping email addresses from company websites, some BEC groups curate target lists of specific financial executives for use in crafting these personalized messages.

Our previous research has shown that many BEC groups use legitimate commercial services to construct tailored queries and collect comprehensive contact information for financial executives around the world.


Close button
Mail Letter

Would you like the confidence to trust your inbox?