Needless to say, 2020 will rewrite the record books. With successful phishing and business email compromise (BEC) scams growing less reliant on technical
acumen than on savvy social engineering, email threat actors rang in the year with every reason to expect outlandish profits ahead. Then came COVID-19. In
the blink of an eye, the email attack surface ballooned to include tens of millions of corporate employees working from home. As substantiated in this mid-year
analysis from the Agari Cyber Intelligence Division (ACID), the pandemic became the go-to pretext for attackers bent on exploiting a period of unprecedented
angst. And it shows: By mid-May, the FBI reported the total volume of phishing and BEC emails exceeded all of 2019. Which means last year’s staggering $8.6
billion in potential business losses from advanced email threats may pale in comparison to 2020’s final tally.
COVID-themed attack volume remained relatively steady from mid-March through early June, before trailing off. Yet while the COVID drumbeat has died down,
the same BEC riffs play on. With 70% of BEC attacks launched from free webmail accounts, a dramatic increase from 54% during Q4 2019, attackers are putting
a premium on speed and flexibility with these temporary, disposable assets. Meanwhile, gift cards continue to be the preferred form of payment in BEC ploys,
resulting in the number of payroll diversion attacks decreased to 13% of the total, compared to 25% at the end of last year.
Anxious employees armed with tools to report suspect emails walloped Security Operations Centers (SOCs) with more incidents to analyze, triage, and remediate
than they could possibly manage. As captured in our H2 2020 ACID Phishing Response Survey of 13 large organizations in a mix of industries, this chronic
challenge was further aggravated by a 67% false positive rate. Organizations deploying advanced phishing response workflows to identify the full scope of
phishing attacks, however, detected and remediated 90X more verified malicious emails connected or similar to those submitted by employees—a 100% increase
from our last report.
The first half of 2020 saw an additional 25 companies within the Fortune 500 companies adopt Domain-based Message Authentication, Reporting, and
Conformance (DMARC)—bringing the total to 20% of all organizations within the index. Yet while salutary, that means 80% of the nation’s largest companies
remain susceptible to cybercriminals seeking to hijack their domains for use in phishing-based brand impersonation attacks that put their customers at risk of
significant financial damage. More encouraging: the 3,800% increase in brands adopting Brand Indicators for Message Identification (BIMI) within just the last six
The intelligence presented in this report reflect data captured via the following sources from January 1 through June 30, 2020:
ACID is the only counterintelligence research team dedicated to worldwide BEC and spear-phishing investigations and the identity deception tactics, criminal group dynamics, and other relevant trends behind today’s most advanced email threats. Created by Agari in 2018, ACID helps to mitigate cybercriminal activity by working with law enforcement and other trusted partners.