Agari H2 2020 Email Fraud Report – The Findings

Every 6 months Agari, market leader in enterprise phishing defence solutions, releases its Email Fraud and Identity Deception Trends report. The most recent report comes at a time where the attack surface of all businesses has rapidly expanded. Phishing and Business Email Compromise (BEC) scams have been relying on sophisticated social engineering for a while now, but this year they have been able to exploit an unprecedented situation. COVID-19 has seen tens of millions of corporate employees suddenly working from home and businesses rapidly trying to build remote solutions. With the volume of attacks higher by mid-May than the whole of 2019, it has never been more important for organisations to build cyber resilience to get ahead of attacks.

HOW WAS THE REPORT COMPILED?

The Agari Cyber Intelligence Division creates the report through applied science. The metrics and data analysed in the report come from a cross-section of industries and include aggregate advanced email attack data and global DMARC domain analysis. Agari uses machine learning, industry knowledge and complex modelling to build insights. The result is a report that delivers insights to help protect enterprises from spoofing and inbound attacks, ensure email deliverability and brand integrity and restore trust to the inbox.

WHAT’S NEW IN THE REPORT

The clear focus of this year’s report is on how COVID-19 has impacted email fraud. Whereas the pandemic has caused some businesses to slow down, cybercriminals have been going from strength to strength. Unfortunately, it has been an unprecedented opportunity for threat actors to take advantage of weaknesses in our systems. The report shows that there was more than a 3,000% increase in phishing attacks from the beginning of March to June. On top of this, Agari revealed a 70% increase in BEC scams launched from free webmail accounts. Amongst other attempts, cybercriminals launched attacks impersonating the World Health Organisation (WHO), the Centers for Disease Control (CDC) and other large organisations central to the fight against the pandemic. While COVID-19 themed BEC attacks had reduced by the end of June, the pandemic has clearly left us more exposed than ever before to social engineering.

KEY TAKEAWAYS FROM THE REPORT

The report focuses on three key areas: employee phishing and BEC trends, phishing response trends and consumer phishing and DMARC trends. The report highlights some interesting insights in each of these areas:

Employee Phishing and Business Email Compromise trends:

• COVID-19 fuelled attacks – as we’ve discussed, there was a huge rise of COVID-themed phishing attacks from early March to June, totalling over 3,000% more than in 2019.
• Free webmail accounts – there was a 70% increase in the number of BEC scams launched from free webmail accounts. With attackers benefiting from the speed and flexibility of temporary and disposable accounts.
• Identity Deception – around two-thirds of malicious emails used identity deception tactics that impersonated well-known brands. This was again fuelled further by COVID-19, with organisations such as the WHO being used to deceive recipients.
• Gift cards – gift cards are the favoured form of payment due to their ubiquitous nature and were used in more than 67% of all BEC plays. The cards are easy to sell for pennies on the dollar in online cryptocurrency exchanges.
  

Phishing response trends:

• Employee-reported incidents – employees are sending an increasing volume of emails to Security Operation Centre (SOC) teams. False positives now account for 67% of all reported incidents with SOC analysts wasting valuable time that could be spent on investigating, remediating and containing legitimate breaches.
• Automated response – automated phishing response processes detect 90 times more threats than with manual reporting alone, often detecting the same as those directly reported by employees. Automation is reported to be key to efficiency and avoiding breach costs.
• Continuous detection and response (CDR) – CDR technologies enhanced with shared threat intelligence identified 5,553 additional threats that would have otherwise evaded detection. The technologies enabled enterprises to forensically recognise and remove threats automatically from all inboxes.
  

Consumer phishing and DMARC trends:

• While the first half of 2020 saw a further 25 companies within the Fortune 500 list adopt Domain-based Message Authentication, Reporting, and Conformance (DMARC), 80% of the largest companies still remain susceptible. That means that cybercriminals would be able to hijack their domains to use in phishing-based brand impersonation attacks, creating significant financial and reputational risk for their customers and the general public.
• In better news, there was a 3,800% increase in brands adopting Brand Indicators for Messaging Identification (BIMI) within the last six months.
  

A DANGEROUS OPERATING ENVIRONMENT

Agari’s mid-year report points at today’s operating environment being more dangerous and dynamic than ever. And, while scam artists will always try to profit when disaster strikes, email-based attacks are on the rise regardless. As cybercriminals continue to up their game, most large enterprises have a blind spot. Many don’t know who is really sending emails on their behalf, as highlighted by the volume of Fortune 500 companies with DMARC authentication in place. Without implementing these basic security controls, the companies and their customers remain at significant risk.

Ultimately, organisations need to take a risk-based approach to email security, using science and automation to help them keep pace with their adversaries, prevent attacks and reduce the costs of data loss and customer distrust.

‍