Get ahead of the attacks costing organizations around the globe billions in fraud losses. The H2 2020 Email Fraud and Identity Deception Trends report highlights current attack trends and provides insights including:

  • 66% of malicious emails employed identity deception tactics that impersonated well-known brands including the World Health Organization (WHO) and Centers for Disease Control (CDC).
  • SOC teams are rapidly becoming overwhelmed by a 67% false positive rate for employee-reported phishing incidents.
  • On average 90 undetected attacks make it to employee inboxes for every verified malicious email reported by an employee.

This new report by the Agari Cyber Intelligence Division is available now for immediate download.

Phishing Response Trends

  • 4,521
    The total number of potential phishing attacks reported by employees at 13 large organizations participating in our survey during the first half of 2020
  • 67%
    Nearly 7 in 10 suspect emails reported by employees are ultimately deemed non-malicious, up from 60% in just six months
  • 90X
    Organizations with automated phishing response processes detect 90X the number of similar malicious messages exclusively reported by employees
  • 5,553
    The number of latent email threats detected and removed via automated detection and response (CDR) capabilities that would have otherwise gone undetected post-delivery

Phishing Response Challenges Proliferate
Employee-Reported Phishing Attacks Vault Up 65%, Clobbering SOCs

Even before the coronavirus pandemic, phishing was implicated in up to 67% of all corporate data breaches, according to Verizon’s 2020 Data Breach Investigations Report (VDBIR). In the first half of 2020, employees empowered to report suspect emails in hopes of foiling new breaches ended up shellacking already overburdened Security Operations Center (SOC) teams with more incidents than they could possibly handle. But organizations employing automated response technologies were able to neutralize unreported threats while accelerating time-to-containment.

Inside the ACID H2 2020 Phishing Incident Response Survey

For this mid-year report, ACID researchers interviewed SOC professionals at 13 large organizations with operations spanning a cross-section of industries— including high-tech, healthcare, agriculture, construction, retail, and energy. The objective is to gain insights on reported incident volumes, false positive rates, and the impact of automation on the investigation and remediation of email threats from January through June, 2020. This section of the H2 2020 Email Fraud and Identity Deception Trends Report features our analysis of these conversations.


The False Positive Rate on Employee-Reported Phishing Incidents

According to a recent study from KnowBe4, one-third of all employees will click on a malicious link or obey a fraudulent email request in phishing simulations. Apparently, these recipients must be sending all of their legitimate email to the SOC team. Joking aside, employee-reported phishing incidents topped 4,521 during the first half of the year, according to 13 large organizations participating in our H2 2020 Phishing Incident Response Survey. Unfortunately, the number of false positives climbed 7% during that same period, to 67% of all reported incidents. Which means SOC analysts are forced to waste valuable time while investigation, remediation, and containment of legitimate breaches grow longer—and more costly

Manual Employee Reporting is No Longer Enough

Every minute spent investigating false negatives means actual phishing emails are left undetected, increasing the likelihood of a data breach with each passing moment. Yet today, 25% of all breaches go undetected for a month or more, according to the 2020 Verizon Data Breach Investigations Report. And Ponemon Institute estimates the costs associated with each new breach average $8.9 million. According to the companies included in our mid-year survey, automation is critical to preventing these kinds of incursions from ever happening, and reducing time-to-containment from weeks or months down to mere minutes for those that do. This is in part because on average, automated processes enable them to uncover a far larger number of attacks than those reported by employees.


The Number of Additional Malicious Emails Detected Through Automated Response

The companies in our survey indicate automated phishing response detects 90X more email threats than manual reporting alone. Out of 4,285 verified phishing emails reported during the first half of 2020, organizations with automated phishing response processes identified 643,692 additional email threats that were either similar or directly related to those reported by employees. That’s a 100% increase over our last report. Organizations cite automating analysis and triage tasks as key to realizing direct savings and increased efficiency and avoiding breach costs.


Malicious Phish Reports


All Similar Messages Found


Similar Messages Confirmed Malicious


Discovery Factor

Continuous Detection and Response
Detecting and Removing Additional, Latent Email Threats


Additional Email Threats Neutralized Through CDR

Across 145 unique events, organizations employing continuous detection and response (CDR) technologies enhanced with shared threat intelligence identified more than fifty-five hundred malicious messages beyond those detected through automated phishing response alone, according to survey participants. CDR technologies identify latent threats that have evaded detection through dormant payloads, new impersonation techniques, or “time-bombed” URLs that redirect post-delivery. By analyzing company-wide email metadata, these technologies forensically recognize and remove email threats from all inboxes automatically.

36 Minutes

Average Remediation Time on Reported Phishing Attack Using Automation

Participants report that malicious phish reported by end users are remediated within 36 minutes with the aid of automation—specifically automated prioritization of incidents based on potential impact to the organization, and identification of all affected employees. This kind of speed is critical. According to research from Aberdeen, there’s a 30% chance of a first-user click on malicious emails within 60 seconds of delivery, with a median time-to-first-click on malicious emails of just 134 seconds.

Close button
Mail Letter

Would you like the confidence to trust your inbox?