The dramatic changes of 2020 underscore the impact of phishing attacks such as Business Email Compromise (BEC) on businesses and consumers world-wide.

The Agari Cyber Intelligence Division analyzed trillions of emails and nearly 500 million Internet domains to uncover the scope and impact of this email fraud… and the trends that benchmark enterprise security teams’ ability to respond to email threats.

Featuring global insights from the Agari Identity Graph™, the H1 2021 edition of the “Email Fraud & Identity Deception Trends” report delivers data and key findings, including:

  • How increasing dollar amounts driven by Vendor Email Comprise (VEC) attacks continued the escalation of email fraud in 2020…  and how cyber criminals increasingly look for liquid assets to convert into cryptocurrencies.
  • Why a deluge of phishing attacks has increased the urgency for security teams to respond effectively… even though nearly two-thirds of employee reports are false positives that exacerbate the SOC’s resource challenges.
  • Why a steady increase in DMARC and BIMI adoption is good news for brands and consumers… and which industry and geographic sectors continue to lag in adopting these key security controls.

Make sure you’re armed with this essential data and intelligence. Download the “H1 2021 Email Fraud & Identity Deception Trends” report today.

Executive Summary

Call it a case of locking the back window while leaving the front door wide open. A year into the pandemic and amid successful attacks on GoDaddy1, Magellan Health², and a continuous stream of revelations about the SolarWinds “hack of the decade,” cyber-attackers are proving all too successful at circumventing the elaborate defenses erected against them³. But despite billions spent on perimeter and endpoint security, phishing and business email compromise (BEC) scams continue to be the primary attack vectors into organizations, often giving threat actors the toehold they need to wreak havoc. In addition to nearly $7.5 billion in direct losses each year, advanced email threats like the kind implicated in the SolarWinds case⁴ suggest the price tag could be much higher. As corroborated in this analysis from the Agari Cyber Intelligence Division (ACID), the success of these attacks is growing far less reliant on complex technology than on savvy social engineering ploys that easily evade most of the email defenses in use today.

Sophisticated New BEC Actors Signal Serious Consequences

Credential phishing accounted for 63% of all phishing attacks during the second half of 2020 as schemes related to COVID-19 gave way to a sharp rise in payroll diversion scams, as well as fraudulent Zoom, Microsoft and Amazon alerts targeting millions of corporate employees working from home. Meanwhile, the state-sponsored operatives behind the SolarWinds hack were just a few of the more sophisticated threat actors moving into vendor email compromise (VEC) and other forms of BEC. Emerging “capital call” payment scams, for instance, have targeted more than $800,000 in wire transfers—seven times the average $72,000 sought in most BEC attacks.


Employees Walloping SOCs with False Positives as True Threats Go Unnoticed

Amid the pandemic, a blistering threat landscape extending to each remote worker has Security Operations Centers (SOCs) buried under more employee-reported phishing emails than they can possibly handle. As our H1 2021 ACID Phishing Response Survey of aggregated client data reveals, the time-intensive tasks required to analyze, triage, and remediate these incidents are exacerbated by a staggering 61% false positive rate—even as more legitimate threats hit home. A welcome bright spot: Organizations leveraging advanced phishing response workflows report detecting and remediating 88X more verified malicious emails similar or connected to those submitted to employees.


5.8B Malicious Emails Spoofed Domains in H2; 76% of Fortune 500 Still at Risk

Global adoption of Domain-based Message Authentication, Reporting, and Conformance (DMARC) leapt 32% during the second half of 2020. But during a six-month period that saw 5.8 billion malicious emails spoof corporate domains, the number of Fortune 500 companies to deploy DMARC rose only modestly—including a 4% increase in domains with DMARC set at its most aggressive level of enforcement. While any rise in that number is encouraging, it means 76% of the nation’s most prominent companies remain at risk of impersonation in phishing attacks targeting their customers and the general public. Far more promising: The 82% rise in the number of brands adopting Brand Indicators for Message Identification (BIMI) at a time when the email channel is more crucial than ever.


Inside This Report

The intelligence presented in this report reflect data captured via the following sources from July through December 2020:</P

  • Active defense engagements with cyber threat actors to gather intel about emerging BEC tactics and targets
  • Data extracted from trillions of emails analyzed and applied by Agari Identity Graph
  • DMARC-carrying domains identified among 426 million domains crawled worldwide
  • Incident data from SOC professionals in a survey of large enterprises averaging 21,000 employees and spanning multiple industries

Agari Cyber Intelligence Division (ACID) is the world’s only counterintelligence research group dedicated to business email compromise (BEC) investigation and cybercrime abatement. Since May 2019, ACID has conducted more than 12,000 active defense engagements with threat actors. ACID works closely with CISOs at global enterprises, law enforcement, and other trusted partners to stop identity-based phishing and socially-engineered cybercrimes.

Close button
Mail Letter

Would you like the confidence to trust your inbox?