FOSTER CITY, Calif. (Feb. 12, 2020) – Business Email Compromise (BEC) attacks fell dramatically in the last two weeks of December 2019, after reaching a crescendo the week before Christmas. This finding, along with other cybercriminal activity trends, was released today in Agari’s quarterly Email Fraud and Identity Deception Trends report. Long regarded by the Fortune 1000 and global law enforcement as the definitive research on BEC and phishing scams, this report investigates identity deception, phishing response, and brand spoofing trends.
Inside the Madman’s Mind
Cybercriminal organizations shut down the two weeks between Christmas and New Year’s, just like most legitimate companies. This finding provides further evidence to support Agari’s observations that cybercriminal organizations operate like any other type of business. They form mentor/mentee relationships, purchase the same prospect list and tools that legitimate marketing departments use to discover potential “buyers,” and they study target-market and “buyer” behaviors. With many employee targets out of the office those last two weeks of the year, it’s clear scammers took some holiday downtime of their own or scammers are very cognizant of their targets’ holidays and exert less effort in their attacks when there is a likelihood the targets are out of the office.
When the CEO, CFO, or anyone in a role of authority asks a back-office employee to take action, the employee naturally wants to help. It’s human-nature, and scammers bet on it. Email scams often-times work because the receiver trusts the sender name displayed on the email. This fact alone is the reason why individual impersonation attacks have skyrocketed. Individual impersonation was up to 32% between October and December, which is a significant jump from 12% in Q2 2019. Now phishing and BEC attacks impersonating specific individuals have come into closer parity with attacks impersonating trusted brands (36%). Cybercriminals continuously modulate the identity deception tactics they use in phishing and BEC scams to optimize efforts that will net the best financial results.
It is widely known that 94 percent of breaches occur through the email channel. All it takes is for one email to slip through a company’s security controls to experience a catastrophic cyber incident.
The risk management stakes are higher today than at any other time in history for CISOs. Cyber incidents impact a company’s stock price, corporate creditworthiness as well as the ability to attract top talent and retain marquee customers. In a landmark announcement, Moody’s downgraded Equifax because of cybersecurity issues, related to its historic 2017 breach.
These corporate risks keep executives up at night, but employees feel the heat too. The rank and file are now tasked and trained to be threat-hunters, in addition to being a graphic designer, bookkeeper, executive assistant, or payroll supervisor. An unfair ask many think. If a malicious email seeps through and the bookkeeper pays it, her job is at risk. That’s what happened to an accounts payable manager at a South Carolina-based company. After unwittingly paying a $1 million invoice to a scammer, she was fired.
It’s clear. When jobs are on the line, people will click the report-phish button, and that means the SOC has been bombarded with false-positives – emails that aren’t malicious. The report shows that 60% of employee-reported incidents turn out to be false-positives. It takes time for an overworked SOC analyst to triage a false-positive. This is a distraction companies cannot afford.
Some companies get it. The Q1 report found that companies with automated phishing response technology were able to detect 44x the number of similar malicious email messages that were exclusively submitted by employees. And when companies used AI-based solutions informed by real-world intelligence on bad actors, like email addresses and subject lines, at least 3,500 latent threats that would have otherwise gone undetected post-delivery, were interdicted and neutralized. Phishing response automation is the next, next because it reduces time-to-containment of email threats and limits the potential scope of phishing campaigns.
DMARC Protocol: Brand Spoofing
The most foundational form of email security, DMARC authentication, goes unused by an astonishing number of Fortune 500 companies. The Q1 report shows clearly that 85 percent of the Fortune 500 cohort remains vulnerable to cybercriminals seeking to hijack their domains for use in phishing-based brand impersonation scams that put their customers, partners, shareholders, and the general public at risk of significant financial damage. In the UK, only 18% of the FTSE 100 are protected against brand spoofing, and in Australia the percentages are even lower at 10% of the ASX 100. DMARC is critical because it prevents cybercriminals from hijacking a brand for phishing attacks.
When a company has a DMARC policy set at reject (p=reject), phishing-based impersonations are driven down to near zero. It’s simple. If your company is protected with DMARC, email scammers leave your brand alone and search for a high-profile, trusted brand name to spoof that doesn’t have a DMARC record or has a DMARC record policy set at quarantine or below.
Use this free DMARC record lookup tool to find out whether your company is at risk of brand spoofing.
The following comments may be attributed to: Patrick R. Peterson, founder and CEO, Agari
“People tend to snicker, when they hear about email scams because they immediately think of the old Prince of Nigeria schemes. But those schemes have matured into sophisticated, socially-engineered attacks that equate to billions of dollars in reported fraud loss. Phishing scams are a gateway to money-laundering crimes. So for the biggest companies in the world to overlook basic cybersecurity measures, like email authentication or automation, is baffling.”
For the attack categorization analysis, The Agari Cyber Intelligence Division (ACID) leveraged anonymous aggregate scoring data that automatically breaks out identity deception-based attacks that bypass upstream Secure Email Gateways (SEGs) into distinct threat categories, such as display name deception, compromised accounts, and more. See section on “Taxonomy of Advanced Email Attacks” in the report. The phishing incident response trends reported are the results from a survey of six large organizations in a cross-section of industries conducted by Agari in December 2019. For broader insight into DMARC policies beyond what ACID observed in email traffic targeting Agari’s customer base, we analyzed 366 million domains, ultimately observing 11,628,125 domains with recognizable DMARC policies attached. This constantly updated list of domains serves as the basis for trend tracking in subsequent reports.
Agari is transforming the legacy Secure Email Gateway with its next-generation Secure Email Cloud powered by predictive AI. Leveraging data science and real-time intelligence from trillions of emails, the Agari Identity Graph™ detects, defends and deters costly advanced email attacks including business email compromise, spear phishing and account takeover. Winner of the 2018 Best Email Security Solution by SC Magazine, Agari restores trust to the inbox for government agencies, businesses and consumers worldwide. Learn more at www.agari.com.
Jean Creech Avent
Sr. Director, Global Corporate Communications