Get ahead of the attacks costing organizations around the globe billions in fraud losses. The H2 2020 Email Fraud and Identity Deception Trends report highlights current attack trends and provides insights including:

  • 66% of malicious emails employed identity deception tactics that impersonated well-known brands including the World Health Organization (WHO) and Centers for Disease Control (CDC).
  • SOC teams are rapidly becoming overwhelmed by a 67% false positive rate for employee-reported phishing incidents.
  • On average 90 undetected attacks make it to employee inboxes for every verified malicious email reported by an employee.

This new report by the Agari Cyber Intelligence Division is available now for immediate download.

Employee Phishing and Business Email Compromise Trends

  • +3,000%
    The percentage increase in COVID-themed phishing attacks beginning the week of March 8 and lasting through early June
  • 70%
    The increase in BEC scams launched from free webmail accounts, up from just 54% during the fourth quarter of 2019 — a 26% jump in just 180 days
  • 2/3
    Malicious emails employing identity deception tactics that impersonated wellknown brands—most notably the World Health Organization (WHO), the Centers for Disease Control (CDC), and others

Counterfeit Contagion
COVID-19 Becomes the Viral Engine for BEC Attacks in First Half of 2020

Scam artists have always sought to profit when crisis strikes. That includes malicious actors who refine phishing attacks to leverage national or global events–
few as consequential to the whole of humanity as the coronavirus pandemic. The gravity of the situation, and the emotional levers it made available to cyberswindlers, are reflected in data captured during the first half


Rise in COVID-Themed Phishing Attacks Mid-March Through Early June

Starting the week of March 8, the volume of COVID-themed phishing attacks saw explosive growth over levels seen at the beginning of February, as corporate
employees grappling with remote working, homebound children, concerns over the virus, and financial uncertainties were targeted in an unprecedented number
of socially-engineered attacks. The trajectory of these schemes and its correlation with Google search data related to the outbreak is remarkable and consistent—
bringing the symbiosis between events-driven anxieties and actions to exploit them into sharp relief. These coinciding trendlines remained relatively steady from
mid-March until early June, before trailing off by quarter’s end.

Bait and Phish
Identity Deception Makes the Most of the Lure du Jour


Phishing Emails Employing Identity Deception Impersonating Well-Known Brands

Two-thirds of malicious emails employing identity deception techniques involved display names designed to dupe recipients into believing the messages came from a well-known brand. This includes a significant number of phishing attacks impersonating the World Health Organization (WHO), the Centers for Disease Control (CDC), Microsoft, and others in massive credentials harvesting campaigns launched early in the coronavirus outbreak.


Percentage of Impersonation Attacks Posing as Trusted Individuals

During H1 2020, just under a quarter of all impersonation attacks masqueraded as trusted individuals, usually a senior executive within the recipient’s company or an outside vendor. The fraud group we call Ancient Tortoise, for instance, used COVID-19 as the pretext for changes to payment details when targeting companies in aging accounts receivable scams by posing as members of a supplier’s accounts receivables team. Another, a criminal organization we call Cosmic Lynx, is the first-reported BEC group operating out of Eastern Europe—suggesting socially-engineered email impersonations are expanding beyond their roots among West African email fraudsters.

BEC Breakout Session
Gift Cards Still King, But Requested Cash-Out Amounts Lose Altitude

Ubiquitous and easy to sell for pennies on the dollar in online cryptocurrency exchanges, gift cards are the preferred payment method in more than 67% of all BEC plays—up from 62% during the fourth quarter of 2019. During the same period, the number of payroll diversion attacks decreasing to 13% of the total, compared to 25% at the end of last year.


Maximum Requested in Wire Transfer Ploys During the First Half of 2020

Amounts requested in gift card ruses retreated to $1,348 on average, compared to nearly $1,600 at the end of 2019. Meanwhile, amounts sought in wire transfer schemes rose to an average $66,790, from $55,395 six months earlier. The maximum requested in a wire transfer attack observed by ACID so far this year: $1,555,770—up from $680,456.

Shifts Seen in Gift Cards Requested in BEC Heists During First Half

Popular online marketplace eBay has overtaken longtime fraudster favorite Google Play as the top gift card sought in BEC attacks. During the first half of the year, eBay accounted for 23% of all gift cards requested by email scammers—compared to just 5% last June. This change may reflect a glut in Google Play gift cards, or it could mark a shift toward cards for purchasing physical goods for direct use or for resale online.


Percentage of BEC Scams Using Free Webmail—Up More Than 10%

Our data shows that in the first half of 2020, nearly 70% of all BEC emails were sent from a free webmail account—a 10% increase in the last six months.


Gmail Remains The Most Weaponized Email Platform

Gmail accounts were used to launch 43% of all BEC scams, up from 35% since our last report.


BEC Emails Sent From Registered Lookalike Domains

Nearly 30% of BEC campaigns are launched from a domain registered by the attacker. Nearly two-thirds of these domains are registered with just three domain registrars:

  • PublicDomainRegister (28%)
  • Google (20%)
  • Namecheap (17%)

Close button
Mail Letter

Would you like the confidence to trust your inbox?