BEC Attacks Drop 63% at end of December 2019, According to Agari Report

• Plus, new findings show automation has whopping effect on phishing response, detecting 44x more malicious messages than manual reporting;

• Turning the tables on bad actors by using their own data against them yields 3,500 phishing attacks interdicted;

• And, the Fortune 500 remain cavalier towards brand-spoofing risks

Business Email Compromise (BEC) attacks fell dramatically in the last two weeks of December 2019, after reaching a crescendo the week before Christmas. This finding, along with other cybercriminal activity trends, was released today in Agari’s quarterly Email Fraud and Identity Deception Trends report. Long regarded by the Fortune 1000 and global law enforcement as the definitive research on BEC and phishing scams, this report investigates identity deception, phishing response, and brand spoofing trends.

Cybercriminal organizations shut down the two weeks between Christmas and New Year’s, just like most legitimate companies. This finding provides further evidence to support Agari’s observations that cybercriminal organizations operate like any other type of business. They form mentor/mentee relationships, purchase the same prospect list and tools that legitimate marketing departments use to discover potential “buyers,” and they study target-market and “buyer” behaviors. With many employee targets out of the office those last two weeks of the year, it’s clear scammers took some holiday downtime of their own or scammers are very cognizant of their targets’ holidays and exert less effort in their attacks when there is a likelihood the targets are out of the office.

Identity Deception

When the CEO, CFO, or anyone in a role of authority asks a back-office employee to take action, the employee naturally wants to help. It’s human-nature, and scammers bet on it. Email scams often-times work because the receiver trusts the sender name displayed on the email. This fact alone is the reason why individual impersonation attacks have skyrocketed.

Individual impersonation was up to 32% between October and December, which is a significant jump from 12% in Q2 2019. Now phishing and BEC attacks impersonating specific individuals have come into closer parity with attacks impersonating trusted brands (36%). Cybercriminals continuously modulate the identity deception tactics they use in phishing and BEC scams to optimize efforts that will net the best financial results.

Phishing Response

It is widely known that 94 percent of breaches occur through the email channel. All it takes is for one email to slip through a company’s security controls to experience a catastrophic cyber incident.

The risk management stakes are higher today than at any other time in history for CISOs. Cyber incidents impact a company’s stock price, corporate creditworthiness as well as the ability to attract top talent and retain marquee customers. In a landmark announcement, Moody’s downgraded Equifax because of cybersecurity issues, related to its historic 2017 breach.

These corporate risks keep executives up at night, but employees feel the heat too. The rank and file are now tasked and trained to be threat-hunters, in addition to being a graphic designer, bookkeeper, executive assistant, or payroll supervisor. An unfair ask, many think. If a malicious email seeps through and the bookkeeper pays it, her job is at risk. That’s what happened to an accounts payable manager at a South Carolina-based company. After unwittingly paying a $1 million invoice to a scammer, she was fired.

It’s clear. When jobs are on the line, people will click the report-phish button, and that means the SOC has been bombarded with false-positives – emails that aren’t malicious. The report shows that 60% of employee-reported incidents turn out to be false-positives. It takes time for an overworked SOC analyst to triage a false-positive. This is a distraction companies cannot afford.

Some companies get it. The Q1 report found that companies with automated phishing response technology were able to detect 44x the number of similar malicious email messages that were exclusively submitted by employees. And when companies used AI-based solutions informed by real-world intelligence on bad actors, like email addresses and subject lines, at least 3,500 latent threats that would have otherwise gone undetected post-delivery, were interdicted and neutralized. Phishing response automation is the next, next because it reduces time-to-containment of email threats and limits the potential scope of phishing campaigns.

DMARC Protocol: Brand Spoofing

The most foundational form of email security, DMARC authentication, goes unused by an astonishing number of Fortune 500 companies. The Q1 report shows clearly that 85 percent of the Fortune 500 cohort remains vulnerable to cybercriminals seeking to hijack their domains for use in phishing-based brand impersonation scams that put their customers, partners, shareholders, and the general public at risk of significant financial damage. In the UK, only 18% of the FTSE 100 are protected against brand spoofing, and in Australia the percentages are even lower at 10% of the ASX 100. DMARC is critical because it prevents cybercriminals from hijacking a brand for phishing attacks. 

 When a company has a DMARC policy set at reject (p=reject), phishing-based impersonations are driven down to near zero. It’s simple. If your company is protected with DMARC, email scammers leave your brand alone and search for a high-profile, trusted brand name to spoof that doesn’t have a DMARC record or has a DMARC record policy set at quarantine or below.

Use this free DMARC record lookup tool to find out whether your company is at risk of brand spoofing.

Patrick R. Peterson, founder and CEO, Agari said, People tend to snicker when they hear about email scams, because they immediately think of the old Prince of Nigeria schemes. But those schemes have matured into sophisticated, socially-engineered attacks that equate to billions of dollars in reported fraud loss. Phishing scams are a gateway to money-laundering crimes. So for the biggest companies in the world to overlook basic cybersecurity measures, like email authentication or automation, is baffling.

Download the full report here.