The Agari Cyber Intelligence Division analyzed trillions of emails and nearly 500 million Internet domains to uncover the scope and impact of this email fraud… and the trends that benchmark enterprise security teams’ ability to respond to email threats.

This report delivers data and key findings, including:

  • How the average dollar amount demanded in Vendor Email Compromise (VEC) attacks continue to increase.BEC Attack Type Assets
  • Why a deluge of phishing attacks has increased the urgency for security teams to respond effectively… even though nearly two-thirds of employee reports are false positives that exacerbate the SOC’s resource challenges.
  • Why a steady increase in DMARC and BIMI adoption is good news for brands and consumers… and which industry and geographic sectors continue to lag in adopting these key security controls.DMARC Enforcement Rates by Industry
Make sure you’re armed with this essential data and intelligence. Download the “Email Fraud & Identity Deception Trends” report today.


Phishing Response Trends

Key Findings
  • 65,898
    The total number of potential phishing attacks reported by employees at large organizations participating in our survey during the second half of 2020
  • 61%
    More than 6 in 10 suspect emails reported by employees are ultimately deemed non-malicious
  • 88X
    Organizations with automated phishing response processes detect 88X the number of similar malicious messages exclusively reported by employees
  • 21,712
    The number of latent email threats detected and removed via continuous detection and response (CDR) capabilities that would have otherwise gone undetected post-delivery

Phishing Response Pressures Escalate
Employee-Reported Phishing Attacks Battering Overburdened SOCs

Evidence is mounting that Security Operations Center (SOC) teams may be buckling under an avalanche of phishing attacks both real and imagined. Even before work-from-home mandates, phishing was implicated in as much as 67% of all corporate data breaches, according to Verizon’s 2020 Data Breach Investigations Report (VDBIR). And while Ponemon Institute’s 2020 Total Cost of a Data Breach Report estimates an average $8.6 million13 in costs per incident for US-based companies, the organization finished collecting data in April14. It warns remote working amid the pandemic is likely to increase that amount by another $137,000 per breach15. It didn’t help that during the second half of 2020, anxious employees swamped already resource-constrained SOC teams with a title wave of suspected phishing incidents—most of which were ultimately deemed false positives. But organizations employing automated response technologies report were able to neutralize unreported threats while accelerating time-to-containment.

Inside the ACID H1 2021 Phishing Incident Response Survey

For this report, ACID researchers analyzed data from large organizations with an average of 21,000 employees in industries such as high-tech, healthcare, agriculture, construction, retail, energy, and more. The objective is to gain insights on reported incident volumes, false positive rates, and the impact of automation on the investigation and remediation of email threats from July through December 2020. This section of the H1 2021 Email Fraud and Identity Deception Trends Report features our analysis of these conversations.

The False Positive Rate on Employee-Reported Phishing Incidents

Our mass experiment in working remotely via home Internet connections and personal computers has provided email threat actors with whole new avenues to potentially infiltrate corporate networks. It doesn’t help that one-in-five employees fall for malicious emails and two-thirds16 of them will go on to provide credentials to the fraudsters, according to a report from Microsoft. The really weird aspect about this: When they aren’t clicking on actual phishing attacks, they’re forwarding legitimate emails—a lot of them—to the SOC team for fear they’re fraudulent. According to large client organizations participating in our H1 2021 Phishing Incident Response Survey, employee-reported phishing incidents topped 65,898 during the second half of the year. Unfortunately, 61% of them were ultimately found to be false positives. Which means SOC analysts were forced to spend valuable time investigating and resolving them—even as time-to containment of true breaches and attacks grows longer and more costly.

Manual Employee Incident Reporting: Too Much & Never Enough

Each minute wasted chasing down false positives means another minute a legitimate phishing email remains an active threat, increasing the chances it will lead to a data breach. According to Ponemon Institute, the average time to containment was already 280 days before the pandemic. And 76% of companies say remote working is likely to make that worse. But according to the organizations in our survey, automation is proving critical to preventing these kinds of infiltrations from ever happening—and collapsing time-to-containment from weeks or months down to just minutes for those that do. This is in part because on average, automated processes enable them to uncover far more attacks than those reported by employees.

The Number of Additional Malicious Emails Detected Through Automated Response

Organizations in our survey report automated phishing response detects 88X more email threats than manual processes alone. Out of 13,986 verified phishing emails reported during the second half of 2020, companies with automated phishing response processes successfully identified 972,347 additional email threats that were similar, or directly related, to those reported by employees. Automating tasks associated with analysis and triage are credited as being central to achieving increased efficiencies and savings while avoiding breach costs.


Malicious Phish Reports


All Similar Messages Found


Similar Messages Confirmed Malicious


Discovery Factor

Continuous Detection and Response
Detecting and Removing Additional, Latent Email Threats

Additional Email Threats Neutralized Through CDR—a 4X Increase Over June 2020

Organizations in our survey report that continuous detection and response (CDR) technologies leveraging shared threat intelligence identified more than 21,712 malicious messages beyond those detected through automated phishing response alone. That’s a 4X increase over the previous six month period. Additionally, 724 unique events identified solely through these technologies. At their most essential, CDR technologies identify latent threats that have evaded detection through new identity deception techniques, dormant payloads, or “time-bombed” URLs that redirect only after they’ve been delivered to the target’s inbox. By analyzing company-wide email metadata, these technologies forensically recognize and remove email threats from all inboxes automatically.

38 Minutes
Average Remediation Time on Reported Phishing Attack Using Automation

According to survey participants, legitimate phishing attacks reported by end users are remediated within 38 minutes with the aid of automated response technologies that prioritize incidents based on potential impact to the organization and the identification of all affected employees. To put the importance of this kind of capability into perspective, studies from Aberdeen show there’s a 30% chance of a first-user click on a malicious email within 60 seconds of delivery, with a median time-to-first-click on malicious emails of just 134 seconds.

Close button
Mail Letter

Would you like the confidence to trust your inbox?