Business email compromise (BEC) has grown into a billion dollar industry as cybercriminals use look-alike domains and display name deception to trick employees into revealing sensitive information, depositing money into criminally-owned bank accounts, and sending thousands of dollars in gift cards via email—all without ever touching a legitimate email account. When these criminals do gain access...

Editor's Note: This post originally appeared on the Microsoft Security blog and has been republished here. You already know that email is the number one attack vector for cybercriminals. But what you might not know is that without a standard email security protocol called Domain Message Authentication, Reporting, and Conformance ( DMARC ), your organization is open to the phishing attacks that...

At Agari we often talk about the evolving nature of advanced email attacks and the identity deception tactics that go with them. These attacks bypass legacy controls and like a magician delighting a curious audience, they trick the human psyche by targeting core human emotions such as fear, anxiety and curiosity. Of course, the magic in this case comes with ill intent. A good example of a...

The 250% increase in business email compromise (BEC) scams over the past year should concern every organization, as should estimates of $26 billion in losses over the last five years from these attacks. While some organizations consider whitelisting their email lists to provide protection, occasionally encouraged by their email security provider, this strategy simply will not work with the ever...

Business email compromise (BEC) scams continue to grow at an unprecedented rate, with more sent by cybercriminals every single day. While they often differ in approach, recent research from the Agari Cyber Intelligence Division (ACID) shows that these text-based phishing attacks possess some commonalities that make them easier to spot. BEC was a $1.3 billion dollar problem in 2018, and if past...

Marketo. Salesforce. Eloqua. Bamboo HR. Zendesk. It only takes a minute to realize how much organizations love third-party senders. They are typically responsible for sending our important customer notifications, marketing promotions, prospecting emails, and even employee information. Because their mail is so important to your business, we should do what we can to help them become DMARC compliant...

When I joined Agari five years ago, I worked out of my home office in Raleigh, where all I needed was a good internet connection and access to a well-connected airport like RDU. At the time, there were only two employees in the area and thus, there was little need for an Agari office outside of headquarters in Silicon Valley. But with a mission as ambitious as ours—to protect digital...

Creating a future where all of our customers can trust their inbox can push Agari engineers to the limits of available technologies. In fact, handling the scaling requirements of Cloud Email Protection has led our Sensor team to test some of the most advanced features of the Python programming language. To maintain quality while using these features, our team created some of the first approaches...

Despite best efforts over the past decade, email security is broken. Human defenses cannot protect us from nefarious attacks, and cybercriminals continue to exploit human trust to run sophisticated attacks at scale. This is the reality of our current environment. Unfortunately, email will continue to be the attack surface of choice until the economic equation is reversed for the crime rings behind...

Agari is more than an email security company that detects cyberattacks. It is a community that supports career growth. Working at Agari over the summer course, I had the opportunity to participate in marketing projects and develop new skill sets that will enable me to be more successful both at school and post-graduation. The Task At Hand As a digital marketing intern, I became familiar with...

The recent Internet Crime Report from the FBI showcasing the growth of business email compromise (BEC) from a $700 million problem to a $1.3 billion problem over the course of only one year was certainly alarming. It showcases just how much cybercrime is growing, despite increased defenses across organizations worldwide. But one key element stands out for me—the fact that none of these attacks...

Here’s some earned media you don’t want for your brand—headlines announcing that your customers are victims of a “nasty phishing scam” or that your “accounts are under attack.” Verizon and Microsoft have had to manage those headlines in recent months. And other tech companies are vulnerable to the same kind of brand damage right now. That’s because organized cybercriminals are going all-in on...

Being a user experience (UX) designer and managing design teams is a rewarding job. I should know since I’ve been a UX designer and manager for the last twenty years. During that time I’ve had several opportunities where I progressed from being the only designer in a company to growing and managing a design team. Agari is the most recent, and my favorite, example of that pattern. My Agari Journey...

As email scammers become more sophisticated and cybercriminals expand their tactics, phishing and BEC attacks from compromised email accounts continue to rise in popularity. We’ve seen a 35% increase in attacks launched from compromised accounts in the last six months. This means that email account takeover-based threats are more prevalent than ever before. And since this is the hardest attack...

Security incidents hit 81% of organizations over the past twelve months, and internal threats pose a serious challenge for security teams, according to a new report from Osterman Research. The latest research says that the most common incidents are advanced threats—including spear phishing, social engineering, and account takeover-based attacks. The report also says that too many organizations “do...

Want to know how email became the number one attack vector for cybercriminals? Look no further than this phishing test at a major financial services firm in which more than one executive clicked through to a fraudulent link. Making matters worse, the email read: "This is a phishing test. Clicking the link below will cause harm to your computer." Don't laugh. In a 2017 employee survey, 46% of...

Only three months ago, the Agari team published our first in-depth analysis on how the top candidates for the US presidency compared when it comes to email security. The kinds of email attacks that helped derail Hillary Clinton’s candidacy in 2016 are only getting more sophisticated, and new data released today shows that campaigns are not taking the threat as seriously as they should. The Q3 2019...

When implemented effectively, real-world deployments of machine learning (ML)-based email security can block business email compromise (BEC) scams, phishing campaigns, and other advanced email threats. But sometimes, it's what happens when a malicious email is somehow able to evade early detection that can matter most to that effort. According to recent research, 22.9 phishing attacks are launched...

BIMI is going big time like never before—and brands won't want to get left behind. In a major announcement this week , Internet search giant Google revealed it has joined the AuthIndicators Working Group and committed to a pilot program for BIMI. For those unfamiliar with the term, Brand Indicators for Message Identification (BIMI) is a standardized way for inboxes to display brand logos beside...

Receipts and invoices—two accounting powerhouses that require little introduction. But step a little further into the world of finance and accounts, and you can quickly become a fish out of water, as the terminology to this numerical land seems to multiply exponentially. That said, in some of our recent active defense engagements with BEC cybercriminals, we have observed a new way scammers are...