Phishing and other email-based attacks may rank among the oldest tricks in the fraudster playbook, but they remain a distressingly effective way for cybercriminals to bilk businesses, their employees, customers, and the public at large out of billions. But they’re also far from static. Data captured in the latest quarterly analysis from the Agari Cyber Intelligence Division (ACID) substantiates how business email compromise (BEC), consumer-targeted brand impersonation scams, and other advanced email threats continue to mutate, switching up tactics to throw targets off-guard, even while retrofitting the tried-and-true in inventive new ways to boost their profits.
Phishing campaigns employing identity deception techniques impersonating trusted brands or individuals accounted for 64% of all advanced email attacks from July through September 2019. However, while these numbers are up in the aggregate, the composition of these deceptions is in flux. During the third quarter of 2019, the number of phishing campaigns impersonating brands dropped slightly. At the same time, email attacks impersonating individuals hit 22%, compared to just 12% in the previous quarter. While malicious emails impersonating well-known brands are generally associated with credentials-harvesting schemes, those spoofing trusted individuals are typically linked to more sophisticated, social engineering-based BEC attacks.
Employee-reported phishing incidents rose 6% during the second quarter, to more than 35,108 annually, while the number of false positives among those reports rose 7%. According to the Q4 ACID Phishing Incident Response Survey of professionals at 460 organizations with 1,000+ employees, the time needed to triage, investigate, and remediate each incident, including a larger number of false positives, rose by more than an hour per incident, a 14% increase—in the last three months. And while the average number of SOC analysts increased to 16.9 per organization, increasing employee-related phishing incidents pushed the gap between the number of analysts needed to handle these volumes up 23%.
ACID analyzed 8,244,356 domains with valid Domain Message Authentication, Reporting, and Conformance (DMARC) records as part of the largest ongoing study of DMARC adoption worldwide. The US and Germany remain leaders in the total number of domains with assigned DMARC records, with the US still #1 in the total percentage of domains with reject policies. Overall, adoption of the DMARC email authentication protocol is up 49% worldwide year-over-year. But most of the world’s most prominent corporations are still at risk from email-based brand impersonation scams targeting their customers, partners, and others.
The statistics presented here reflect information captured from the following sources from July through September.
ACID is the only counterintelligence research team dedicated to worldwide BEC and spear phishing investigations and the identity deception tactics, criminal group dynamics, and relevant trends behind these and other advanced email threats. Created by Agari in 2018, ACID helps to mitigate cybercriminal activity by working with law enforcement and other trusted partners.