The Agari Cyber Intelligence Division analyzed trillions of emails and nearly 500 million Internet domains to uncover the scope and impact of this email fraud… and the trends that benchmark enterprise security teams’ ability to respond to email threats.

This report delivers data and key findings, including:

  • How the average dollar amount demanded in Vendor Email Compromise (VEC) attacks continue to increase.BEC Attack Type Assets
  • Why a deluge of phishing attacks has increased the urgency for security teams to respond effectively… even though nearly two-thirds of employee reports are false positives that exacerbate the SOC’s resource challenges.
  • Why a steady increase in DMARC and BIMI adoption is good news for brands and consumers… and which industry and geographic sectors continue to lag in adopting these key security controls.DMARC Enforcement Rates by Industry
Make sure you’re armed with this essential data and intelligence. Download the “Email Fraud & Identity Deception Trends” report today.


Employee Phishing and Business Email Compromise Trends

Key Findings
  • $809,000
    The average amount targeted in “capital call” scams—an emerging form of BEC in which fraud rings request funds from investors who’ve committed money toward a specific investment
  • 7X
    The difference in average amounts sought in capital call payment scams and the $72,000 average targeted in wire payment fraud schemes in the second half of 2020
  • 333%
    The percentage increase in the number of payroll diversion scams since July 2020

Bigger Phish Making a Splash in BEC
Sophisticated New Threat Actors Signal Dire Consequences Ahead

SolarWinds was just a warm-up act. According to industry studies, 80% of firms⁵ report a sharp rise in cyberattacks during 2020—the vast majority of them phishing attacks and other advanced email threats. Business email compromise (BEC) alone has led to nearly $30 billion⁶ in direct financial losses since 2016, and it’s getting worse. During the second half of 2020, ACID researchers uncovered a troubling rise in well-funded eastern European crime syndicates piloting new forms of BEC. With 57% of US employees still working from home and hamstrung by housebound children, frustrating vaccine rollouts, and an endless number of other distractions, threat actors appear to be finding plentiful targets for a new wave of socially-engineered email threats that could cost companies plenty.

Big Spike in Average Amount Targeted in BEC, Driven by 2 Big Trends

In November, a dramatic increase in the average amount of money targeted in BEC attacks was tracked back to two primary causes. The first was the resurgence of the BEC threat group we’ve dubbed Cosmic Lynx⁷, which switched up its pandemic-related tactics to include references to COVID-19 vaccines. More worrisome: The group has also started requesting recipients’ phone numbers in its emails to redirect the conversation to phone communications. The second driver behind the surge in the amounts sought in BEC scams is a potent new pretext used by threat actors— capital call investment payments. Generally speaking, capital calls are transactions that occur when an investment or insurance firm seeks a portion of money promised by an investor for a specific investment vehicle. In emails to targets, BEC actors masquerade as a firm requesting funds to be transferred in accordance to an investment commitment. Because of the nature of such transactions, the payments requested are significantly higher than these sought in most wire transfer scams. The average payout targeted in capital call schemes: $809,000.

Accounts Deceivable: Aging Report Schemes Gain Traction

During this same period, our researchers also noted a significant increase in the number of BEC attacks requesting aging accounts receivable reports from targeted employees. While this particular form of BEC has been around for more than a year, it has represented a mere fraction of the total. In November, however, nearly 1 in 12 (7%) of all BEC scams our researchers observed requested an aging report. More disconcerting: While a large percentage of this increase can be attributed to the BEC group we call Ancient Tortoise⁸, we identified a growing number of other email campaigns coming from actors employing markedly different tactics— suggesting the exploitation of aging financial reports is being more widely adopted within the BEC ecosystem.

Like Vendor Email Compromise (VEC), aging reports scams use compromised information from one organization in order to defraud another. Unlike VEC, however, they do not require the actual infiltration of an employee’s email account. Instead, the attacker impersonates a senior executive in emails requesting a copy of a recent aging accounts receivable report, which typically contains a list of all unpaid invoices and the names and email addresses of associated customer contacts. With this information in hand, attackers will then target the victim’s customers with requests for payment on overdue invoices to a new bank account.

Taken together, renewed activity from these two organizations is an ominous sign that highly-sophisticated threat actors are moving into an arena once dominated by loosely affiliated West African email crime rings. All while BEC groups of every stripe continue to establish new beachheads⁹ worldwide.

Hit Charade
Go-to Identity Deception Tactics Continue to Deliver for Email Crime Rings

Percentage of Phishing Emails Impersonating Trusted Brands

More than 6 in 10 malicious emails (62.6%) employing identity deception techniques involved display names designed to impersonate a wellknown brand during the second half of 2020. This includes a significant number of phishing attacks impersonating Microsoft10, Amazon, Google, Facebook and others. In the majority of cases, these were coordinated campaigns designed to harvest login credentials from their targets.

1 in 5
Impersonation Attacks Pose as Specific Individuals

Just under a quarter (22%) of all impersonation attacks pose as a trusted individual, usually a senior executive within the recipient’s company or an outside vendor. As mentioned, a cunning new impersonation tactic involves posing as specific individuals conducting “capital calls” in emails requesting payment from recipients on funds committed toward an investment vehicle. In the case of the group we call Ancient Tortoise, ACID researchers have confirmed the threat actors are acquiring aging accounts receivable reports in order to target companies with requests for payment on legitimate overdue invoices.

BEC Breakout Session
Gift Cards Down But Still Dominant; Payroll Diversions Gain Traction

Potential Losses Grow as BEC Actors Seek Bigger Bounties

Gift cards continue to rank as the #1 choice for cash-outs in BEC scams, though they lost some altitude during the second half of 2020. In Q3, gift cards were requested in 71% of all BEC attacks. But in Q4, that figure dropped to 60%. Meanwhile, wire transfers continue to appeal to BEC actors, accounting for 22% of BEC schemes in H2 2020. The average amount sought in these attacks rose 8%—boosted by those six-figure capital call scams, as well as a minimum request amount of $2,600.

Amount Requested Per BEC Attack Type

Payroll Diversion Scams on the Rise for Six Straight Months

While payroll diversion ruses made up just 10% of all BEC scams throughout the last half of 2020, we saw some notable upward movement in these attacks throughout this six month period. In fact, the number of fraudulent requests to change the employee bank accounts used for direct deposit has increased for six straight months. With 7 in 10 corporate employees working remotely—including more than 15 million11 who have moved across town, to nearby cities, or to far-flung Zoom towns during the first six months of the pandemic—may have given this pretext added believability. The steady increase in incidents suggests it’s working.

eBay Still #1 in Gift Card Scams, But Shifts May Be Underway

Maybe we should blame it on Pokémon12. Online marketplace eBay continues to be the most favored gift card sought in BEC attacks. During the second half of 2020, eBay accounted for nearly 1 in 4 (24.1%) gift cards requested by email scammers, followed most closely by Google Play (15.5%), iTunes (11.7%), and Amazon (10.8%). But during the fourth quarter, ACID researchers saw a significant increase in the number of scams seeking American Express, Visa, and OneVanilla gift cards. Generally BEC actors have traditionally requested brand-specific gift cards with an eye toward the online cryptocurrency exchange market, where the cards can be sold at some portion of their face value. This new shift may suggest cybercriminals are gravitating toward cash equivalents that can be used to place purchases of virtually any kind, online and off, at full face value/

Percentage of BEC Scams Using Free Webmail Accounts

During the second half of 2020, more than three-quarters (77%) of all BEC attacks were sent from a free webmail account—up 17% from January 2020.

Gmail Continues to Be Top Platform for BEC Attackers

Google’s Gmail remains the most weaponized email platform, accounting for 61% of BEC emails sent via free webmail accounts. That’s up from 43% in June 2020, nearly double the number seen last January (35%).

1 in 4
BEC Attacks Leverage Lookalike Domains

Meanwhile, 23%, or nearly 1 in 4, BEC attacks are sent from a domain registered by the attackers. Nearly two-thirds of these domains are registered with just three public domain registrars:

  • Namecheap (29%)
  • PDR (20%)
  • Google (9%)

Close button
Mail Letter

Would you like the confidence to trust your inbox?