With the 2020 presidential primary season rapidly taking shape, analysis from the Agari research team finds 85% of the top candidates spanning both parties continue to rely on vulnerable email accounts that put their staff at risk from the same kind of phishing attacks that helped derail Hilary Clinton’s 2016 presidential bid. As this cycle gains speed, campaigns and their ever-changing ecosystems of advisors, pollsters, and policy analysts will only make easier targets for email attacks launched by nation-states and other operatives.
But others may be burned just as bad or worse—causing potentially irreparable harm to candidacies and even to our democracy. As of June 30, ACID analysis of domain data finds that of the leading candidates polling over 1%, only four of the candidates have DMARC records established for their domains with the policy that prevents the campaign or the candidate from being impersonated in email scams targeting donors, voters, reporters, and others. If the phishing and misinformation campaigns conducted by the world’s top threat actors during the last election cycle wasn’t enough to prompt presidential candidates to take action, 2016 may prove to be just a warm-up act for the transgressions headed our way in 2020.
While wire transfers have long been the primary objective in BEC scams, gift cards have become the top cash-out tactic for fraudsters. During the second quarter of 2019, 65% of all BEC attacks observed by the ACID team prompted victims to purchase and send gift cards to the attacker. And 75% of the gift cards requested by BEC hustlers belong to only five brands: Google Play, Steam Wallet, Amazon, Apple iTunes and Walmart. This approach has key benefits to con artists, as gift cards represent a ready tool for laundering the proceeds of
their crimes with little to no traceability. There is a downside, however, as the money attackers can net with each gift card is significantly less than what’s possible through wire transfers. Nonetheless, the growing prevalence of gift cards in BEC attacks indicates the ROI must outweigh the negatives.
Employee-reported phishing incidents rose 14% during the second quarter to more than 33,108 annually, according to the Q3 ACID Phishing Incident Response Survey of 175 professionals at 280 organizations with 1,000+ employees. During the same period, respondents to this quarter’s survey reported a 16% increase in the number of false positives, while the time needed to triage, investigate, and remediate
rose 13% per incident. And while the average number of SOC analysts increased to 15.3 per organization, the gap between the number of analysts needed to handle these volumes grew by 22%.
For this report, ACID identified 7,044,371 domains with valid Domain-based Message Authentication, Reporting and Conformance (DMARC) records as part of the largest ongoing study of DMARC adoption worldwide. The United States and Germany remain leaders in the total number of domains with assigned DMARC records, but the US is still #1 in the total number of domains with records with reject policies. Overall, domains with DMARC records rose just 2% in the second quarter, leaving most of the world’s most prominent corporations at risk from email-based brand impersonation scams targeting their customers, partners, and other consumers and businesses. That includes a staggering 83% of the Fortune 500.
In this quarterly report, we examine trends in phishing and email fraud perpetrated against businesses and their customers.
Continuing a feature first introduced in our Q2 2019 report, this edition assesses current adoption rates for both email authentication and advanced email security among top candidates seeking their parties’ nominations heading into next year’s 2020 US presidential elections. This includes analysis of which campaigns may be most vulnerable to email-based impersonation fraud that can damage their candidates’ reputations, fundraising efforts, press coverage, and even national security.
The statistics presented here reflect information captured from the following sources from April through June 2019:
The Agari Cyber Intelligence Division (ACID) is the only counterintelligence research team dedicated to worldwide BEC and spear phishing investigations, identity deception tactics, criminal group dynamics, and relevant trends behind these and other advanced email threats. Created by Agari in 2018, ACID helps to mitigate cybercriminal activity by working with law enforcement and other trusted partners.