AGARI CYBER INTELLIGENCE DIVISION
REPORT Q2 2019 Email Fraud and Identity Deception Trends Global Insights from the Agari Identity Graph™
© 2019 Agari Data, Inc. Executive Summary
Quarterly analysis from the Agari Cyber Intelligence Division (ACID) finds business email compromise (BEC), spear phishing, consumer-targeted brand impersonation scams, and other advanced email threats continue to evolve at a relentless pace, and could even put major US presidential candidates at risk from attacks targeting their staff and their voters as the 2020 election cycle ramps up.
Email Hacking: 2016 Redux, or Something Far Worse? Despite lessons learned from the hacking of Clinton campaign chairman John Podesta’s email account and subsequent release of sensitive emails on WikiLeaks, little progress has been made since the 2016 US presidential election. As the 2020 election cycle revs up, campaigns are still struggling with email security, primarily because few of the current and most prominent candidates have dedicated staff or resources to implement effective defenses. In fact, over 90% of the current presidential contenders rely on the easily-bypassed security controls built into their email platforms—almost exclusively Google Suite and Microsoft. While these controls offer basic defenses, they won’t protect against the kind of advanced email attacks likely to target campaign staff.
And that’s not the only kind of email threat candidates should fear. As of April 29, ACID analysis of domain data indicates only one of the leading candidates polling over 1%—Massachusetts Senator Elizabeth Warren (D)—has a DMARC record established for their domains with a policy that would prevent the campaign or the candidate from being impersonated in emails targeting donors, voters, and others. Given the stunning success of phishing and disinformation operations during the 2016 election cycle, 2020 is surely in the crosshairs of world-class hackers, especially as more than 90% of the leading candidates remain wide open to attack. SEE MORE EMAIL FRAUD & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI Q2 2019
2 Nearly 30% of BEC Attacks Now Originate from Compromised Email Accounts ACID analysis finds continued volatility in the identity deception tactics used by cybercriminal organizations behind a growing number of BEC scams. The percentage of all phishing attacks employing identity-deception tactics that use a display name intended to impersonate a trusted individual or brand has dropped to 53%, but most troubling has been the steady increase in the use of compromised email accounts. From January through March 2019, 27% of all identity-deception attacks were launched from compromised accounts. That’s an increase of nearly 30% in just 90 days, making this the second-most prevalent form of identity deception technique. Because phishing attacks launched from compromised accounts are by far the hardest to detect and disrupt, they are especially effective at defrauding the rightful owners of the account—as well as targeted businesses. SEE MORE
Employee-Reported Phishing Attacks Reaching SOCs Surge 25% According to the Q2 ACID Phishing Incident Response Survey of 176 SOC professionals at 325 organizations with 1,000+ employees, the number of employee reported phishing attacks climbed 25% in the past quarter—increasing the total volume of incidents corporate security operations centers (SOCs) must remediate to an average of more than 29,000 annually. During this same period, the time needed to triage, investigate, and remediate each incident rose to an average of 6.5 hours. While the number of SOC analysts increased to 14, the gap between the number of analysts needed (90) and the actual number of analysts widened. SEE MORE
DMARC Adoption Rises a Tepid 1% While 90% of Fortune 500 Remains Unprotected By the end of March 2019, ACID identified 6.75 million domains with valid DMARC records out of 328 million total domains examined as part of the industry’s largest ongoing study of DMARC adoption worldwide. Germany ranks first in raw domains with established DMARC records, though the United States maintains the highest percentage of domains with DMARC records with a reject policy. Overall, domains with DMARC records rose 1%, with the rate of growth rising at a much slower pace than the previous quarter. This leaves the vast majority of the world’s most prominent companies vulnerable to email-based impersonation attacks targeting their customers, partners, and other & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI businesses—including nearly 90% of the Fortune 500. SEE MORE Q2 2019
3 Inside this Report In this quarterly report, we examine trends in phishing and email fraud perpetrated against businesses and their customers.
For the first time ever, we also begin tracking both Domain-based Message Authentication, Reporting and Conformance (DMARC) and Advanced Threat Protection adoption among presidential candidates seeking their parties’ nominations heading into next year’s 2020 US elections. This report includes a look at which campaigns may be most vulnerable to email-based impersonation scams that can damage candidates’ reputations, operational effectiveness, fundraising efforts, and even national security.
Also included are the results from our quarterly survey on the impact of phishing incident response in the enterprise, and the burden and cost for a security operations center (SOC) team to respond to employee-reported emails. The statistics presented here reflect information captured from the following sources from January through March 2019: • Analysis of 2020 Presidential campaign email vulnerability based on DNS and MX record information • Data extracted from the 300 million+ daily model updates by the Agari Identity Graph™ • DMARC-carrying domains identified within the 328 million+ domains crawled • Insights captured from a phishing incident survey of more than 250 cybersecurity professionals
The Agari Cyber Intelligence Division (ACID) is the only counterintelligence research team dedicated to worldwide BEC and spear phishing investigation. ACID supports Agari’s mission of protecting communications so that humanity prevails over evil. The ACID team uncovers identity deception tactics, criminal group dynamics, and relevant trends in advanced email threats. Created by Agari in 2018, ACID helps to impact the cyber threat ecosystem and mitigate cybercrime activity by working with law enforcement and other trusted partners. EMAIL FRAUD & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI Q2 2019
4 Table of Contents
Presidential Campaign Security 2020 - Deception 2020: US Elections Under Email Attack 9 - Enemies in the Inbox: Spear Phishing Attacks Should Raise Concerns for Candidates 10 - 2016 Presidential Redux—or Worse? DMARC Authentication Necessary for Voter Protection 12 Employee Phishing and Business Email Compromise (BEC) - Patterns of Deceit: Attacks from Compromised Accounts Continue to Surge 16 - C-Suite Phishing Trends: High-Value Executives See Rise in Identity Deception Attacks Impersonating Individuals 18 - BEC in the Spotlight: The Use of Free Accounts, Look-alike Domains, and Personalization 19 Phishing Incident Response Trends - Incident Response Trends: SOCs See Reported Phishing Attacks Jump 25% 24 - Employee Empowerment Evolves: Organizations Change Tactics for Employee Reporting 25 - Catching Phish: How Employees Report Suspected Attacks 26 - SOC Staffing Snapshot: Headcount Needs Nearly Double in 90 Days 31 - Data Breach Economics: Risk Reductions from Automation 32 - Totaling It Up: The Cost of Manual Response vs. the Savings from Automation 34 Customer Phishing and DMARC Trends - DMARC Adoption Snapshot: The Industry’s Largest Ongoing Study of Adoption Rates Worldwide 36
- Q2 Scorecard: Vendors and DMARC Service Providers 38 & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI - DMARC Adoption By Geography 40 - Prominent Trends Across Top Companies 41 - Large Sector Analysis: DMARC Authentication by Vertical 44 - Industry Enforcement Comparison: The Agari Advantage by Vertical 45 - Brand Indicators Adoption Up 60% as More Brands Realize Its Value 46 Q2 2019 About This Report 47 About the Agari Cyber Intelligence Division (ACID) 48
5 Key Terms A Taxonomy of Advanced Email Threats
With rising levels of cybercrime posing a serious threat to individuals, businesses, and governments, it is vitally important to codify a consistent set of terms to describe the different challenges that characterize this threat landscape. Not every email scam is a “phishing attack,” for instance.
To address this need, ACID has established a Imposter Authentic classification system for cyber threats—a threat Sender taxonomy—that breaks down common email- Spoof Look-alike Domain Display Name Deception Compromised Account Account Owner based attacks in terms of how they are carried out and what the perpetrators aim to achieve. This Fraud Unsolicited Email Legitimate Email taxonomy will help readers understand the terms Social Engineering Spam Graymail Misconfiguration used in this report and what they mean to email Classification Scattershot Targeted security. URL Malware Con Because email fraud centers around identity deception—the impersonation of trusted senders— Internal External Recipient in order to con recipients, we start with the Employees Contractors Partners Customers method by which the impostor impersonates the trusted sender’s email account, making it Objective Monetary IP/Data/Credential Theft Denial of Service & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI appear as if the emails the impostor is sending are originating from the trusted party. For more information about the Agari Threat Taxonomy, see agari.com/taxonomy Q2 2019
6 Leading Attack Modalities Generally speaking, we observe three primary ways in which cybercriminals impersonate an email account:
LOOK-ALIKE DOMAINS AND DOMAIN SPOOFING: With look-alike domains, the cybercriminal registers a domain that is very similar to the legitimate domain he or she is seeking to impersonate. Look-alike domains are distinguished from domain spoofing, in which the attacker uses the actual email address of the impersonated identity in the “From” header—for example, “Company Customer Service.” Email authentication standards such as DMARC can be used by a domain owner to prevent spoofing of the domain, but are still not adopted widely by all businesses.
DISPLAY NAME DECEPTION: This happens when the cybercriminal inserts the name of the impersonated individual or brand into the “From” field within Gmail, Yahoo, or another free cloud-based email platform. These are also known as “friendly from” attacks.
Imposter Authentic Sender Spoof Look-alike Domain Display Name Deception Compromised Account Account Owner
Brand / Individual
COMPROMISED ACCOUNT ATTACKS: The cybercriminal sends targeted requests from an account that’s already been compromised— assuming the identity and the actual email account of the impersonated individual or brand, which is the most dangerous threat of all.
Different types or classes of attacks will entail different elements of this taxonomy. & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI
A business email compromise (BEC) attack, for instance, can involve an impostor who aims to impersonate a trusted individual or brand using a look-alike domain, display name deception, or in the worst cases, a compromised legitimate account, leveraging sophisticated social engineering tactics to send highly personalized attacks. Impersonated individuals may be executives within the target’s own company, or an outside vendor or partner company. A BEC attack is targeted and uses a con with no URL or attachment. Q2 2019 By comparison, a phishing attack may use any identity deception technique and send more broad-based messages meant to fool someone into clicking on a malicious link that captures their username and password. When attacking businesses, display name deception is typically the tactic of choice for cybercriminals seeking to impersonate the email account of a trusted individual or brand. 7 Presidential Campaign Security 2020 Protecting the United States Election From Nation-State Attacks EMAIL FRAUD & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI Q2 2019
8 Deception 2020 US Elections Under Email Attack
Initial findings show that major US presidential candidates are vulnerable both to phishing attacks against staff and to email scams impersonating their campaigns. This must be remedied as we move closer to the election, especially as cybercriminals and nation-state actors seek to derail candidates, defraud voters, and undermine democracy itself.
In the aftermath of the 2016 US presidential election and the hacking of Clinton campaign chairman John Podesta’s email account, email security has become a critical issue as the 2020 election cycle revs up.
It was only three years ago that Podesta was fooled by what appeared to be an “account alert” from his email provider, Google. The malicious link, and the resulting leak of damaging campaign emails on WikiLeaks helped derail Clinton’s bid for the presidency.
Fast-forward to 2019, and little has changed. Campaigns are still struggling with email security, primarily because very few candidates have dedicated staff or resources to implement critical email security defenses. The Department of Homeland Security offers training, but it tends to be designed for large federal agencies rather than the frenetic, on-the-fly campaign operations that & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI are just starting to rev up for the primaries.
In fact, with the 2020 election cycle now underway, over 90% of the current presidential contenders rely on the easily-bypassed security controls that are built into their email platforms—almost exclusively Gmail and Microsoft Office 365. And while these security features provide basic protection, they are not enough to stop the advanced email attacks that are likely to target prominent Q2 2019 candidates in the run-up to the election. Perhaps even more troubling, only one presidential candidate polling over 1% has implemented the DMARC policy needed to keep fraudulent email purporting to come from the campaign or the candidate themselves out of voter inboxes. The information here was collected on April 29, 2019. For an up-to-date status on top candidates, see agari.com/election2020 9 Enemies in the Inbox Spear Phishing Attacks Should Raise Concerns for Candidates
While the security controls of most webmail platform providers have grown adept at ferreting out malicious links and malware, they are powerless on their own against advanced, identity-based phishing attacks, and cybercriminals are taking advantage. Instead of relying solely on the kind of spear phishing approach used on Podesta, these operatives are now launching highly personalized, socially-engineered email messages designed to manipulate recipients into revealing sensitive information or login credentials before thinking to confirm the message’s legitimacy.
Advanced Email Security Is a Necessity for Serious Candidates To be sure, some attacks may still include “Past Due” or “Password Change Required”-style alerts designed to harvest email login credentials. But others may involve an “urgent request” from a trusted advisor, outside firm, or a senior campaign official asking the recipient to pay a vendor or forward confidential polling data or campaign information. Fortunately,Email much Gateways of this can be stopped by advanced email security controls that overlay on top of Microsoft Office or Gmail to stop advanced attacks like business email compromise, spear phishing, and others.
Despite the ease of implementing advanced email protection, the Agari �� Third-Party 1�� Third-Party Advanced Email Advanced Email Cyber Intelligence Division finds �� Microsoft Oce 365 Security Provider Security Provider that only 3% of the current crop of & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI US presidential candidates with an All Candidates 9� Microsoft email-receiving domain or campaign >1% Polling with Website Oce 365 website have implemented a solution to stop advanced threats.
91� Unknown/ Q2 2019 On-Premises Gateway ��� Google
10 A vast majority of candidates are relying on the basic controls built into their cloud-based email platform. All this means is that these candidates are open to attack in the form of phishing and account takeovers—threats that could derail an entire campaign, smear a presidential candidate, and turn the wave of support against a leading presidential contender.
Leading Candidates Are at Risk for Attack Of the candidates polling over 1%, according to data from Real Clear Politics, the situation is not much better. One two candidates— Massachusetts Senator Elizabeth Warren and Former Massachusetts Governor Bill Weld—have put an advanced security solution in place to protect their staff from the email threats that could cause major headaches should they be successful.
Let’s hope more join them. Even with heavy investments on security and employee phishing training, 96% of corporate data breaches begin with an email, with more than 4,000 records are stolen every single minute. With these numbers, imagine what these criminals could do to a presidential bid.
The rapidly-evolving nature of campaign operations and their ad hoc ecosystem of advisors, pollsters, policy analysts, and other members & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI of a candidate’s braintrust make them easy targets for world-class hackers—both foreign and domestic. As the race heats up and the press focuses more on our top contenders, so will nation-state actors who want to target the 2020 election and the United States democracy.
And unfortunately, these are not the only types of email threats that Q2 2019 candidates should fear.
11 2016 Presidential Redux—or Worse? DMARC Authentication Necessary for Voter Protection
The fact is, there is another email-based threat that could pose a far graver danger to candidates and to our electoral system itself. For US congressional and presidential candidates with domains unprotected by the DMARC email authentication protocol, they risk finding their campaigns impersonated in phishing attacks targeting not their staff, but rather their most important constituents—including voters, donors, the press, and more.
In 2017, the US Department of Homeland Security issued BOD 18-01, a directive requiring all executive branch agencies to adopt DMARC with its top enforcement policy in order to address this same issue. DMARC helps ensure only authorized parties can send emails on an agency’s behalf, preventing agencies or individuals from that agency from being impersonated in attacks targeting other agencies, government officials, citizens, media outlets, foreign allies, and more.
To its credit, the US executive branch is now one of the leading industry verticals in the adoption of DMARC. But so far at least, no such directive has been set for the federal government’s legislative or judicial branches, let alone for the chaotic operations of congressional and presidential election campaigns.
Mission: Impersonate Given the stunning success of phishing and disinformation operations during the 2016 election cycle, 2020 is surely in the crosshairs of EMAIL FRAUD & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI highly-networked cybercriminal organizations, some of them foreign adversaries, with access to all the same donor and voter data so critical to campaign success.
What happens if candidates for the highest office in the land are impersonated in phishing attacks targeting voters, donors, or the domestic or foreign press? What kind of fraudulent statements or mischaracterized policy positions could be attributed to these candidates and
emailed to rival campaigns, the media, and key voters—including independents in battleground states? Q2 2019
12 And what happens when the negative publicity from such attacks leads these and other constituents to avoid opening a campaign’s legitimate email messages, including those focused on fundraising? Because email marketing has an average ROI of $38 for every $1 spent, impersonation attacks that hobble the email channel can quickly crush a candidate’s reputation, their fundraising ability, and their electoral viability. For these reasons and more, DMARC implementation should be the absolute baseline for email security for every campaign.
DMARC Adoption in the Danger Zone for Most Candidates When implemented correctly, DMARC authentication at its highest level is the single most important element in stopping attacks that pose as trusted brands or individuals—including political candidates and their campaigns.
1% Protected 8% Protected
All Candidates >1% Polling with Website
99% Not Protected 92% Not Protected EMAIL FRAUD & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI In late March, CNN reported that the Democratic National Committee held an online seminar to show campaigns how to implement DMARC. But as of April 29, our analysis of domain data indicates only one of the campaigns with polling averages above 1% have DMARC records established for their domains with a policy that would block phishing emails. This means 99% of all US presidential candidates and 92% of the top candidates are vulnerable to email-based impersonation attacks targeting their constituents and others. Q2 2019
13 Leading Candidates Remain Vulnerable to Attacks Out of all candidates with polling averages above 1%, only five have DMARC records assigned to their domain. These include: • Massachusetts Senator Elizabeth Warren (D) • New Jersey Senator Cory Booker (D) • Former Secretary of Housing and Urban Development Julian Castro (D) • Minnesota Senator Amy Klobuchar (D) • Current President Donald J. Trump (R) But only Warren has a p=reject policy to stop unauthenticated emails from being delivered. Because a DMARC record does not prevent illegitimate mail from entering the inbox until the policy is set to p=reject, every other major candidate i still vulnerable to email-based impersonation—including current President Trump.
As such, voters should be wary of any email purporting to come from a candidate other than Elizabeth Warren. No other candidates have implemented the protocols necessary to keep fake email out of voter inboxes—a fact that should be remediated sooner rather than later to ensure voter trust throughout the election process. EMAIL FRAUD & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI Q2 2019
14 Employee Phishing and Business Email Compromise (BEC)
An unfortunate increase of 35% means that 27% of advanced email attacks spawn from compromised accounts of trusted individuals and brands.
When targeting execs and high-value employees, attackers moved decisively to impersonating specific individuals in 37% of all email attacks, versus previous trends of impersonating common brands. EMAIL FRAUD & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI As a sign of growing sophistication and targeting KEY FINDINGS inherent to BEC attacks, 20% of deceptive emails observed
were personalized to include Q2 2019 the name of the recipient in order to make them seem
more legitimate. 15 Patterns of Deceit Attacks from Compromised Accounts Continue to Surge
More than a quarter of advanced email attacks are now launched from the compromised accounts of trusted individuals and brands—up 26% in just ninety days.
‘From’ Line Fraudsters: Identity Deception Tactics are Evolving Fast Today, 53% of all phishing attacks employing identity-deception tactics use a display name intended to impersonate a trusted individual or brand in order to defraud an outside supplier, a customer, or other businesses—down from 63% in the previous quarter.
In most cases, attackers favor impersonating trusted brands at 34% over individuals at 19% of all attacks. But while both of these tactics attempt to deceive a recipient by impersonating a known entity, the purpose is typically very different for each.
Generally speaking, malicious emails that impersonate trusted brands are associated with credentials-harvesting attacks, while phishing emails spoofing specific individuals are typically linked to socially-engineered, recipient response-oriented attacks such as BEC or executive spoof scams.
20% Look-alike Domain From: LinkedIn
27% Q2 2019 Compromised Account From: Raymond Lim
Legitimate email accounts that have been taken over by scammers can be a crushingly effective way to distribute phishing emails because they are, in a sense, trusted—allowing them to bypass mail filters more easily. The impact of this attack type cannot be overstated.
Attacks launched from compromised email accounts are by far the hardest to detect and disrupt, making them a serious vulnerability for the account’s legitimate owner and the companies involved. Indeed, a successful account takeover does not just give fraudsters the ability to impersonate the account’s owner. It also gives them access to the individual’s contacts, ongoing email conversations, and historical email archives—making it possible to craft new scams made all the more galling by their extraordinary personalization and crushing effectiveness.
Meanwhile, the remaining 20% of identity-deception emails use look-alike domains to send malicious content. While some of these domains can be simply spoofed and sent using basic mailing tools, many are actual domains registered by phishing threat actors. EMAIL FRAUD & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI Q2 2019
17 C-Suite Phishing Trends High-Value Executives See Rise in Identity Deception Attacks Impersonating Individuals
During the first quarter of 2019, display name deception used to impersonate specific individuals was used in 37% of all email attacks targeting senior executives, compared to just 19% in overall malicious email campaigns.
The distribution of tactics used in phishing attacks diverges significantly from those used when targeting other employees. During the first quarter, display name deception used to impersonate specific individuals, the least common tactic among malicious emails overall, was used in the majority of phishing emails targeting the high-level executives. This dichotomy is driven by BEC scams that target CFOs and other financial executives with malicious emails appearing to be sent from an executive like the CEO, making this one of the most pernicious cyberthreats facing the enterprise.
Compromised account-based phishing scams, 15% which are the second-most common email attack Look-alike Domain method overall, are rarely used when targeting From: LinkedIn
This past quarter, the Agari Cyber Intelligence Division took an in-depth look at the tactics used by threat actors in BEC campaigns, one of the costliest forms of phishing attacks businesses face today.
67% of Attacks are Launched from Free Top Ten Email Providers Used to Send BEC Emails Webmail Accounts What makes today’s BEC campaigns so dangerous is that they Roadrunner 15.3% 1 6 Cox 2.0% can exact eye-popping returns with very little effort or overhead. AOL 12.8% 2 7 Mailbox.org 1.3% Because emails used in these attacks do not contain malicious links or payloads, they easily bypass most common security controls in Gmail 10.4% 3 8 Earthlink 1.2% use today. Lycos 4.1% 4 9 Inbox.Iv 1.2%
And in the vast majority of cases, BEC attackers use free and Naver 2.1% 5 10 TWC 1.0% temporary email accounts to launch their campaigns. In fact, our data shows that two-thirds (67%) of BEC emails are sent from an easily-acquired webmail account.
In the first quarter of this year, the most commonly used email provider in these attacks was Roadrunner (rr.com), accounting for & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI 15% of all BEC campaigns. AOL and Gmail ranked as the second and third most commonly used webmail providers for creating accounts used to send BEC phishing emails. Q2 2019
19 The Advantages of Look-alike Domains in BEC Scams Twenty-eight percent of BEC campaigns in the first quarter were sent from email accounts hosted on a domain registered by the attacker. While there is usually a cost associated with registering a domain, the ability to create a more authentic-looking email address for use in attacks is worth the price for some.
Meanwhile, compromised email accounts belonging to other individuals or brands accounted for the remaining 5% of BEC attacks.
Regardless of the point of origin, the display name used in these attacks is almost always changed to impersonate a senior executive at target organizations.
5% Compromised
Most Common Point-of-Origin 67% for BEC Scams Webmail EMAIL FRAUD & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI 28% Registered Q2 2019
20 Top 10 Subject Lines for Business Email Compromise Scams Curious what a business email compromise scam actually looks like? In most cases, the initial email in a BEC attack is very brief and designed to elicit a response from a targeted recipient.
Similarly, the subject lines of BEC emails are frequently very generic, so as not to arouse suspicion. But they nearly always contain specific keywords meant to generate urgency.
In fact, 1 in 4 BEC emails observed over the past three months contained one of three words in the subject line: Quick, Request, or Urgent.
Top Ten Most Common Subject Lines in BEC Emails (Q1 2019)
Request 7.6% 1 6 Payroll 2.1%
[FIRST NAME] 7.2% 2 7 quick task 2.1%
Task 3.7% 3 8 [FIRST/LAST NAME] 1.9%
Hello [FIRST NAME] 3.5% 4 9 Direct Deposit 1.7%
Hi [FIRST NAME] 2.5% 5 10 Available? 1.5% EMAIL FRAUD & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI Q2 2019
21 A Growing Number of BEC Emails are Personalized Today, 20% of BEC emails are personalized to include the name of the recipient in order to make them seem more legitimate. Rather than receiving a completely generic message, referencing the target’s name serves to lower a recipient’s defenses and lessen the likelihood they’ll recognize the scam.
Personalization also demonstrates the level of reconnaissance some cybercriminal organizations conduct prior to launching their malicious campaigns.
Instead of simply scraping email addresses from company websites, some BEC groups curate target lists of specific financial executives for use in crafting these personalized messages.
Our previous research has shown that many BEC groups use legitimate commercial services to construct tailored queries and collect comprehensive contact information for financial executives around the world.
20% Personalized Subject: Hello Personalization vs. Hello Non-Personalization I am planning a surprise for some of in BEC Attacks the stas with gift cards and your confidentiality would be appreciated in order not to ruin the surprise. I need you to get some purchase & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI 80% done, email me once you get this. Non-Personalized Vice President of Marketing at Agari Subject: Hello Sent from a Mobile Device Hi Are you in your oce? Send me a quick reply if you are free. Q2 2019 Thanks
22 Phishing Incident Response Trends
Employees report an average of 29,028 phishing incidents to the security operations center each year per organization—a 25% increase in just 90 days.
The average time it takes to triage, investigate, and remediate reported phishing
incidents jumped to 6.5 hours, & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI a 35% increase in one quarter. KEY FINDINGS Costs for the security operations center to triage,
investigate, and remediate Q2 2019 employee reported phishing nearly doubled—exceeding
$8.1 million. 23 Incident Response Trends SOCs See Reported Phishing Attacks Jump 25%
In today’s threat environment, there is no possible way to completely remove the risk that an employee will fall for a phishing email designed to defraud the company or steal sensitive information as part of a data breach. During the first quarter of 2019, the time required for security operations centers (SOCs) to respond to employee-reported phishing attacks spiked 32% in just 90 days.
For US-based companies, this matters—a lot. Today, the average cost of a breach is approaching $8 million, and the probability of falling victim to a breach is now 14% per year, according to Ponemon Institute. And it’s getting worse, in part because of the very mechanism businesses are putting in place to mitigate the issue.
The Unexpected Consequences of Employee-Reported Phishing Attacks In addition to security awareness training and phishing simulations, the vast majority of businesses have provided employees with the ability to report suspected phishing emails. It is critical to understand how to leverage this threat feed to discover and contain breaches before data is exfiltrated.
All too often, employee-reported phishing emails end up flooding SOCs with more incidents to triage, investigate, and remediate than they can handle. As a result, it has become critically important for businesses to find ways to streamline and automate these processes. Otherwise, the time it takes to discover and resolve breaches will only grow longer—while valuable data, intellectual IP, and other important EMAIL FRAUD & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI business information is exfiltrated by cybercriminals.
Inside the ACID Phishing Incident Response Survey Every quarter, ACID surveys SOC professionals at 280 organizations ranging in size from 1,000 employees to 209,000 employees in order to get a read on incident response issues. This quarter’s survey participants include 176 respondents based in the United States, and 84 in the United Kingdom. Q2 2019
The survey asks a series of questions regarding employee-reported phishing—including reporting mechanism, volume, false positive rate, existing tools for phishing incident response, and time required to investigate phishing. This section of the Q2 2019 Email Fraud and Identity
Trends report highlights analysis of the responses to these questions. 24 Employee Empowerment Evolves Organizations Change Tactics for Employee Reporting
Ninety-five percent of this quarter’s survey respondents report employees in their organizations have the ability to report phishing attacks, often via a convenient button and/or abuse inbox for forwarding suspicious messages to the security team.
While this is down 3% quarter-over-quarter, a growing number of organizations are adopting phishing simulations to test employees’ ability to detect a phishing incident after participating in security awareness training. A full 92% of this quarter’s survey respondents report their organizations use such simulations, up 4% from the previous quarter. In most cases, these simulations are implemented via an outside vendor to provide an objective assessment of security vulnerabilities.
Training Employees to Report Phishing
5% 8% No Ability to Report No
Ability to Phishing Report Simulation Phishing Adoption EMAIL FRAUD & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI
95% 92% Q2 2019 Ability to Report Phishing Yes
25 Catching Phish How Employees Report Suspected Attacks
Most companies offer multiple reporting methods, including filing a help desk trouble ticket, using the native email client phishing button, or implementing a third-party client such as the KnowBe4 phishing button. But today, the most common mechanism available to employees to report phishing is an [email protected] inbox.
Whether the phishing incident is reported through an inbox or a phishing button, the phishing email itself is forwarded to some combination of a security operations center or help desk support center, for investigation and remediation. In some cases, the mail platform (Microsoft Office 365 or Gmail) or phishing simulation vendor also receives a copy of the reported phishing messages.
Employee Options to Report Phishing (Global)
70 63% 58% 60
50 45%
40 37%
30 & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI
20
10 5%
0% Q2 2019 0 Forward to Contact Email Client Email Client No Ability Other Abuse Email Help Desk (Native) (Third-Party to Report Address Directly Vendor) 26 Employee-Reported Incidents: Volume and Accuracy With so much empowerment, training, and testing designed to help employees recognize and report phishing incidents, just how many suspected attacks are reported? What about accuracy?
Based on the results to this quarter’s survey, respondents report roughly 29,028 phishing incidents per organization on an annual basis, with a slightly lower number of phishing incidents in UK-based companies.
Volume Per Organization of Phishing Incidents
Average Number of Reported Phishing Incidents Distribution of Annual Reported Phishing Incidents (Global) Per Organization Annually
30000 30% 30%
25000 25% 26%
20000 20% 20% 19%
15000 15%
10000 10%
5000 5% 6% EMAIL FRAUD & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI
0 0% US UK Global <1200 1200–120000 12000–36000 36000–60000 >60000
Q1 Q2
In all, 56% of respondents reported a number of phishing incidents ranging from 12,000 to 36,000 per year. Q2 2019
27 Employee-Reported Incidents: False Positive Rate Rises 10% The emails employee report are not always true phishing incidents. Security training often encourages users to report any suspicious email. As a result, spam, unwanted marketing emails, as well as legitimate email messages are often reported as phishing—even when they are not. In the first quarter of 2019, the false positive rate for employee-reported phishing incidents climbed 10% on a global basis. In the United States, the rate rose from 49% to 56%, while the United Kingdom saw a 3% decline over ninety days.
Employee-Reported Phishing False Positive Rate Employee Reported Phishing False Positive Rate
60% 30%
55% 56% 50% 26% 52%
40%
30%
20%
10%
0%
Global US UK & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI Q2 2019
28 Time Required for Triage, Investigation, Forensics, and Remediation
Reports Alerts Incidents
PhishPhish Reporting SOC Triage ForensicForensic Analysis IncidentIncident Remediation
EmployeesEmployees report report SOCSOC handles handles reports, reports, SOC AnalystSOC Analyst SOCSOC works works with with suspect messagemessage usingusing filteringfiltering out out obvious obvious determinesdetermines level level MessagingMessaging to to address address phish phishbutton button false falsepositives positives of impactof impact incidentsincidents
PROBLEM: PROBLEM: PROBLEM: PROBLEM: Employee reports are The tools & workflow Understanding level of Remediation often Eachnoisy quarter’s and phishing survey participants are forasked: managing For employee these phishing reports,impact how involves much timeusing on average doesinvolves it take amultiple SOC analyst to triage,training investigate, makes the and remediate?” bothreports in terms are crude of true and phishing incidentslots and of cuttingfalse positive & reports. groups and there isn’t problem worse for inefficient—often just pasting across multiple effective data sharing the SOC an Outlook mailbox forensic tools between them EMAIL FRAUD & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI
40 ©2019 Agari Data, Inc. All rights reserved. Confidential and Proprietary. Q2 2019
29 Response Times Climbing Fast On a global basis, the overall average across all phishing incidents is now 6.5 hours to triage, investigate, and remediate. That number is up 32% from 4.9 hours in the course of ninety days. In the United States, the rate is up 1.86 hours, while in the United Kingdom, the rate is up by nearly a full hour.
On average, SOC analysts now spend 5.58 hours triaging a false positive, compared to 3.96 hours in the previous quarter. And they spend an average 6.64 hours triaging, investigating, and remediating a valid phish—an increase of .76 hours during the same time period.
Average Time per Phishing Incident to Triage. Investigate, and Remediate Average Time Per Phishing Incident to Triage, Investigate, and Remediate
8
7 7.20 6.64 6 True Phish 5.78 5 5.58 5.45 5.16 False Positive 4 Hours
3
2
1 EMAIL FRAUD & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI
0 Global US UK
The triage process generally involves a quick investigation of the sender domain and address, included links, and attachments to determine if the message is potentially malicious. This process is often manual, requires multiple third-party tools, and involves the judgement of the analyst—something that is not always 100% reliable. Q2 2019
30 SOC Staffing Snapshot Headcount Needs Nearly Double in 90 Days
In the face of this continuous barrage of phishing incidents, the Average Avg.Number Number ofof SOC SOC Analysts Analysts Employed Employed average number of SOC analysts per organization hit 14.6 in the first 20 quarter of 2019—up from 12.5 quarter-on-quarter. 30%
55% More than 90% of organizations report having at least one dedicated SOC analyst. Not surprisingly, the analysis showed a 15 15.9 strong correlation between company size, the number of phishing 14.6 incidents, and the number of SOC employees. 12.0 10 For example, 41% of organizations with more than 10,000 employees have 20 or more SOC analysts. The same is true of organizations # of Analysts with 60,000 or more phishing incidents per year. 5
The Q2 Staffing Gap 0 Based on the average number of phishing incidents and the average Global US UK time to remediation (6.5 hours), the average SOC needs 90 analysts to handle the number of phishing incidents per company. Given that the average number of SOC analysts in our survey is 14.6, there is a widening staffing gap of at least 76 full-time equivalents (FTEs). & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI This gap currently results in organizations failing to detect phishing incidents, which opens each organization to the possibility of breaches or fraud. Q2 2019
31 Data Breach Economics Risk Reductions from Automation
Today, the entry point for 96% of all data breaches is well-targeted email, according to the 2018 Verizon Data Breach Investigations Report (DBIR). The average cost of a data breach in the United States is now $7.9 million, and organizations face an average 14% probability of suffering a breach within the next year, according to Ponemon Institute. If you multiply the average breach cost of $7.9 million by the probability of 14%, the annual breach risk is $1.1 million.
60%
40% Discovery 20% Exfiltration
0% Seconds Minutes Hours Days Weeks Months Years
Source: 2018 Verizon DBIR
Meanwhile, the Verizon DBIR finds that the average data breach results in exfiltration of data within minutes or hours—while the average time-to-discovery takes months. This is likely a symptom of understaffed and inefficient SOC processes for handling phishing incidents. Ideally, SOC analysts would be able to triage, investigate, and remediate reported phishing incidents within minutes, enabling the business
to remediate the compromise and contain the breach. & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI Q2 2019
32 Q2 Automation Index As part of our quarterly phishing incident response survey, we asked respondents how much reducing the response time required for phishing incident response would reduce their breach risk. Overall, this quarter’s respondents felt their business could reduce breach risk by an average 51% by automating the process of phishing incident response.
In the United States, that figure rose 2% from the previous quarter, to an average 53% reduction in breach risk, while in the United Kingdom, estimates dropped 3% during the same period, to an average 45% reduction.
On a global basis, a 51% reduction in breach risk would result in a $561,025 decrease in annual breach risk for the average business.
Risk Reduction Due to Automated
Risk ReductionPhishing Due to IncidentAutomated PhishingResponse Incident Response
60% 30%
50% 53% 51% 26%
45% 40%
30%
20% EMAIL FRAUD & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI
10%
0% Global US UK Q2 2019
33 Totaling It Up The Cost of Manual Response vs. the Savings from Automation
Based on the data captured in this quarter’s phishing incident response survey, it’s possible to establish the variables needed to estimate the cost of manually handling phishing incidents, average breach risk, and the potential cost savings of automating the process.
6.5 Hours per Phishing Incident x 29,000 Incidents = 188,500 Hours of SOC Analyst Time SOC ANALYST 188,500 Hours ÷ 2080 FTE Hours per Year = 90 FTEs COSTS 90 FTEs x $90,000 per FTE = $8.1M
SOC ANALYST $8.1M – 90% SOC Time Savings = $7.29M Savings SAVINGS
BREACH RISK $7.9M Average Breach Loss x 14% Probability of Breach = $1.1 M Breach Risk REDUCTION $1.1 M Breach Risk – 51% Risk Reduction = $561,000 Breach Risk Reduction
TOTAL SAVINGS $7.29M SOC Analyst Time Savings + $561,000 Breach Risk Reduction = $7.85M Total Savings
To calculate a custom ROI for your organization, visit agari.com/roi & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI
Using averages for all variables, the detailed calculations above show a total annual cost to the SOC of $8.1 million and an average annual breach risk of $1.1 million—for a total cost $9.2 million per company. By implementing automated phishing incident response processes that reduce the time to triage, investigate, and remediate phishing incidents by 90%, and the time to discover and remediate data breaches by
up to 51%, organizations could save $7.29 million in SOC costs and $561,000 in breach risk—for a total savings of $7.85 million. Q2 2019
34 Customer Phishing and DMARC Trends
By the end of March, ACID identified 6.75 million domains with valid DMARC records, up roughly 1% quarter-over-quarter.
Germany is the #1 region responsible for raw domains
with DMARC records, though & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI the United States took the top prize for the percentage KEY FINDINGS of domains at a reject policy.
Only 25% of domains are Q2 2019 configured to send email, with DMARC settings on the vast
majority set to monitor-only. 35 DMARC Adoption Snapshot The Industry’s Largest Ongoing Study of Adoption Rates Worldwide
Domain-based Message Authentication, Reporting and Conformance (DMARC) is an open standard email authentication protocol that helps businesses protect their brands and domains from being used to send fraudulent phishing emails. In a snapshot of more than 328 million Internet domains—the largest of any industry survey—we break down the state of DMARC implementation worldwide from January 1 through March 31, 2019.
Take Control of Your Domains Domains with DMARC Policies DMARC gives brands control over who is allowed to send emails on their behalf. It enables email receiver systems to recognize when an 8,000,000 email isn’t coming from a specific brand’s approved domains, and gives the brand the ability to tell the email receiver systems what to 7,000,000 do with those unauthenticated email messages. 6,000,000 Failing to implement DMARC at p=reject results in an easily identifiable vulnerability. Cybercriminals often spoof domains in order to send 5,000,000 large volumes of phishing attacks targeting the domain owner’s 4,000,000 customers and partners. The ripple effect can be significant. The domain may suffer reputational damage, resulting in being & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI 3,000,000 blacklisted by some receiver infrastructures, or experience reduced deliverability rates for legitimate email, hurting email-based revenue 2,000,000 streams. The effects may first show up in complaints that outgoing emails aren’t reaching recipients, often bouncing or being filtered by 1,000,000 spam filters. Q2 2019 0 Aug 2017 Sept 2018 Dec 2018 Mar 2019
agari.com/dmarc-guide For more information on DMARC and the benefits of adoption, visit Monitor (p=none) Quarantine Block (p=reject) 36 Brands looking to deploy DMARC are advised to start with DMARC p=none and work up to p=reject through a well-defined DMARC implementation plan. When enforcement policies are set properly, DMARC has been shown to drive down phishing rates impersonating brands to near zero.
The Picture Grows Sharper By crawling the entire public Internet domain space representing over 328 million domains, ACID was able to generate its latest snapshot of DMARC implementation rates worldwide from January through March 2019. Overall, there was continued growth in the DMARC adoption rate, but at a much slower pace than the previous quarter. EMAIL FRAUD & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI Q2 2019
37 Q2 Scorecard Vendors and DMARC Service Providers
Each quarter, we assess how vendors and DMARC service providers are helping organizations use DMARC to protect their domains from email impersonation scams. The size of our dataset offers an unprecedented view into the number of domains for which vendors have established DMARC records, as well as how many of those records have been set to the highest enforcement level of p=reject. This combination of data points offers a snapshot of market share and success rates for each of these vendors.
How the Scorecard Works As a shorthand to determining a market share figure, we tabulated the number of times specific, well-known DMARC implementation vendors were specified as a recipient of reporting feedback via DMARC. The “rua” field that accepts an email address to receive aggregate DMARC data reports is a good proxy for this calculation. With this email address, the DMARC vendor typically accepts, parses, and visualizes the data on behalf of the customer. We included active vendors with more than 1,000 domains reported.
Q2 Vendor Rankings by Total Share of Domains and Percentage of Domains with Reject Policies The chart shown on the next page provides a basic ranking of top vendors, corresponding to the number of domains that specify that particular vendor in the “rua” field. We then apply a second filter indicating the all-important percentage of domains at the highest possible DMARC enforcement policy setting of p=reject for each vendor, which is the policy level that will block phishing messages. EMAIL FRAUD & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI Quarter-over-quarter, there was some movement in overall vendor rankings, with slight improvements for some second tier vendors in terms of the total percentage of domains with DMARC set at its top enforcement level. Q2 2019
38 Assessing Vendor Attributes THE SWEET SPOT: Category-leading vendors achieve that perfect combination of a large number of domains serviced across a wide range of industries matched with high levels of top enforcement policy implementation. Finding a company that has high marks in both is essential for those organizations looking to see success with DMARC implementation.
HIGHER QUANTITIES CAN SEE LOWER ENFORCEMENT: The “Goldilocks” ratio can be harder to achieve for mid-tier vendors, which tend to struggle with the ratio of domains they service and what percentage of those records they succeed at converting to the highest enforcement policies. Category leaders with high numbers of enterprise clients can face this challenge as well, as it is harder to have more enterprise domains set to reject.
QUALITY VARIES WILDLY: About 315,000 of the domains that deployed DMARC are using a recognized DMARC provider, and about 6 million domains have DMARC deployed without using a major DMARC service provider. When selecting a vendor, enterprises with hundreds or thousands of domains should consider vendors that have both high numbers of domains and a high-percentage enforcement rate in order to better ensure success.
DMARCDMARC Policy Policy ObservancesObservations Over Over Q2 2019 Q1 2019
150000 100%
90%
120000 80%
Domains Managed 70%
Domains w/ Reject Policy
90000 60% & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI
50%
60000 40% % Reject Policy % Reject
# Domains Managed 30%
30000 20% Q2 2019 10%
0 0%
Agari 250ok ValiMail Dmarcian Proofpoint MXToolbox 39 Postmarkapp DMARC Analyzer Barracuda Networks DMARC Adoption By Geography
As a new feature to the quarterly trends report, ACID is looking at the state of DMARC adoption by key geographies. As measured by domains for which a country code can be validated, this data encompasses roughly 50% of our total pool of analyzed domains worldwide.
Germany Ahead in DMARC Records, United States in Enforcement According to our analysis, Germany leads all survey geographies in registered domains with established DMARC records, accounting for nearly a sixth of the world’s DMARC records overall, and the vast majority of domains for which a country code can be correlated.
Predictably, given the total volume, Top DMARC Overall Top 5 P Value = None Germany also ranks highest in established 1,200,000 DMARC records at the default monitor- DE only setting. As mentioned earlier, this US could reflect a high number of domains 1,000,000 NL that are automatically assigned DMARC FR records by registrars, even when a large 800,000 ES percentage of those domains may never 0 1M 2M 3M 4M be used to send email. 600,000 Top 5 P Value = Reject
Data for the United States paints a US 400,000 EMAIL FRAUD & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI different picture. While it ranks a distant NL second in the total number of country- DE 200,000 coded domains assigned DMARC records, IE it is number one in DMARC records with an GB 0 established p=reject enforcement policy. DE US NL ES FR GB RU IE TR PL 0 100K 200K 300K 400K 500K According to industry studies, the United Q2 2019 States is the most heavily-targeted nation by cybercriminals, which may help to explain this discrepancy. 40 Prominent Trends Across Top Companies
Our quarterly assessment of publicly available adoption data for the Fortune 500, Financial Times Stock Exchange 100 (FTSE 100), and Australian Securities Exchange 100 (ASX 100), highlighting trends among prominent organizations across geographies.
Fortune 500 The Fortune 500 is an annual list compiled and published by Fortune magazine that ranks 500 of the largest United States corporations by total revenue for their respective fiscal years. The list includes publicly held companies, along with privately held companies for which revenues are publicly available. It is a good indicator for how security is trending amongst large companies.
During the first quarter of the year, DMARC adoption remained Fortune 500 DMARC Adoption tepid, with the largest corporations continuing to implement email authentication at a measured pace. Even for those that have 3% 7% 10% 11% 100 assigned DMARC records to their domains, the sizable proportion Reject of “no record” and “monitor-only” policies dramatically increases the likelihood of the organization being impersonated in phishing 80 Quarantine campaigns targeting their customers and other consumers and 23% businesses. But there has been progress. 33% None 60 DMARC Adoption – Just over 40% of the Fortune 500 with DMARC records assigned to domains have yet to publish an enforcement 39% No Record & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI 42% policy. Nonetheless, this is up nearly 5% from December 2018. 40
Quarantine Policy – Over 5% have implemented a quarantine policy to send phishing emails to the spam folder, in line with the previous 20 quarter. Q2 2019 73% 59% 46% 42% Reject Policy – Just over 1 in 10 have implemented a reject policy to 0 block phishing attempts impersonating their brands. While relatively Aug 2017 Sept 2018 Dec 2018 Mar 2019 low, that’s up roughly 8% from December 2018. 41 FTSE 100 The Financial Times Stock Exchange 100 Index, more commonly known as the FTSE 100, is a share index of the top 100 companies listed on the London Stock Exchange (LSE). It is seen as the benchmark reference for those seeking an indication on the performance of major companies in the United Kingdom.
Just under half of the top 100 public companies in the UK do not have a DMARC record for their corporate domains. The lack of DMARC implementation means an organization’s customers, suppliers, and other consumers and businesses remain vulnerable to phishing and the losses associated with email scams bearing the organization’s name.
DMARC Adoption – During the first quarter of 2019, there was a 4% FTSE 100 DMARC Adoption increase in the number of FTSE 100 companies publishing a DMARC 6% 9% 11% 14% policy. This marks the first quarter that more than half of all FTSE 100 companies have domain records for their corporate domains. Reject
– Only one percent have implemented a quarantine Quarantine Policy 80 Quarantine policy to send phishing attempts to spam. This percentage is 26% unchanged from the previous quarter. None 60 34% 35% Reject Policy – Only 14 companies have implemented a reject policy 36% to block phishing-based brand impersonations. That’s a 3% increase No Record from the previous period. 40 EMAIL FRAUD & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI 20
73% 59% 53% 49% 0 Aug 2017 Sept 2018 Dec 2018 Mar 2019 Q2 2019
42 ASX 100 The ASX 100 is Australia’s stock market index, representing its top 100 large and mid-cap securities.
It appears significant educational efforts are required to boost DMARC adoption in this region, which remains nearly unchanged from Q4 2018. Today, 55% of ASX 100 companies have yet to take the first step in adopting DMARC to combat the threat from brand impersonation attacks bearing their name.
DMARC Adoption – Despite a 1% increase during the last quarter, ASX 100 DMARC Adoption more than half of the ASX has yet to publish a DMARC policy, 3% 7% 7% 7% showcasing how few companies are thinking about email security. 100
Reject Quarantine Policy – Two percent have implemented a quarantine policy—the same as the prior quarter. 80 Quarantine 23% Reject Policy – Only seven percent have implemented a reject None 60 33% policy, unchanged from Q4 2018. 35% 36%
No Record
40
20 EMAIL FRAUD & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI
73% 59% 56% 55% 0 Aug 2017 Sept 2018 Dec 2018 Mar 2019 Q2 2019
43 Large Sector Analysis DMARC Authentication by Vertical
As part of our quarterly analysis of DMARC adoption, we examine public DNS records for primary corporate and government website domains of large organizations with revenues above $1 billion.
This quarter, the US Government is hands down the leader in DMARC policy attainment across all major sectors, with 81% of domains attaining DMARC implementation at a p=reject enforcement policy. While most other sectors experienced negligible changes in adoption over the last quarter, the percentage of healthcare industry domains without a DMARC record dropped 3%.
However, most of these records appear to have been published without an enforcement policy, leaving the associated domains open to email-based impersonation scams targeting their customers and business partners.
DMARC Policy and Enforcement Trends for Key Industries
81% 15% 7% 6% 5% 4% 100 Reject
80 Quarantine
32% None
60 35% & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI 33% 40% No Record 41%
40
20 Q2 2019 4%
14% 49% 44% 50% 57% 61% 0 US Gov Finance Tech Other Healthcare Retail 44 Industry Enforcement Comparison The Agari Advantage by Vertical
By looking at the data in the Agari Email Threat Center, we can take a look at how enforcement rates across industries compare with those of Agari customers.
Aggregating real-time DMARC statistics from the domains of top banks, social networks, healthcare providers, major government agencies, and thousands of other organizations, the Agari Email Threat Center is the largest set of detailed DMARC data in the world based both on email volume and domains. To generate real-time threat intelligence, the Agari Email Threat Center analyzed more than 537 billion emails from over 48,000 domains from January through March 2019.
Healthcare Takes the Lead Percentage of Domains at Enforcement Segmenting by the same industry groupings presented in the Global Agari Customers previous section, we compare the respective enforcement levels for each vertical category with that of Agari customers. For the first 100 time ever, healthcare has surpassed the government sector to rank 81% 81% highest among all in the percentage of domains at enforcement in 80 79% our quarterly reports. 69% 69% 70% 68%
60 This is remarkable, as healthcare as a vertical moved from the lowest enforcement rate in the Threat Center in Q4 2017 to rank second by EMAIL FRAUD & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI year-end 2018. By March 2019, it had surged past government, which had 40 been the enforcement leader amongst Agari customers for some time.
20 15% Healthcare’s momentum is likely driven by the National Health ISAC, 7% 6% which issued a companion pledge for DMARC attainment to match 4% 4% 0 that of the US Government’s Binding Operational Directive 18-01. Q2 2019 BOD 18-01 was issued in October 2017 and has been the driving US Govt Finance Tech Other Healthcare Retail factor behind the sky-high adoption rates for executive branch Note: The Threat Center tracks authentication statistics across active domains belonging to Agari’s customers. Passive or defensive domains that do not process email will not agencies. Agari healthcare sector customers appear to have also be reflected in the totals. Overall, as indicated previously, the Agari reject rate across all attained that goal—and then some. industries in the global domain snapshot is 80%. 45 Brand Indicators Adoption Up 60% as More Brands Realize Its Value
Brand Indicators for Message Identification (BIMI) is a standardized way for brands to publish their brand logo online with built-in protections that safeguard the brand, application providers, and consumers from impersonation attempts.
Groupon, Aetna, eBay, and Capital One are just some of the brands that use BIMI to display their logo next to their email messages— enhancing brand presence as well as providing assurance to recipients that the message is safe to open. BIMI will work only with email that has been authenticated through the DMARC standard and for which the domain owner has specified a DMARC policy of enforcement, so only authenticated messages can be delivered.
Q2 BIMI Snapshot: A 60% Increase in Brand Adoption As of March 2019, 130 brand logos use BIMI with their top level domains, and any number of additional subdomains. This is up from 81 logos in January, making it a 60% increase in just ninety days. With a growing number of pilots underway, look for this figure to climb in coming months. Because of its ability to help increase brand exposure and visibility even while protecting against brand impersonations, it may soon be considered “must-have” for brand email campaigns everywhere. EMAIL FRAUD & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI Q2 2019
46 About This Report
This report contains metrics from data collected and analyzed by the following sources:
Aggregate Advanced Threat Protection Data For inbound threat protection, Agari uses machine learning—combined with knowledge of an organization’s email environment—to model good or authentic traffic. Each message received by Agari is scored and plotted in terms of email senders’ and recipients’ identity characteristics, expected behavior, and personal, organizational, and industry-level relationships. For the attack categorization analysis, we leveraged anonymous aggregate scoring data that automatically breaks out identity deception-based attacks that bypass upstream SEGs into distinct threat categories, such as display name deception, compromised account, and more.
Phishing Incident Response Trends This report presents results from a custom survey conducted by Agari during March 2019. The following charts summarize the demographics and location of the respondents. Respondent Characteristics
32% (84) 27% (71) UK 10K+
Country Company Size EMAIL FRAUD & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI 51% (131) 1–5K
68% (176) 22% (58) US 5–10K
Global DMARC Domain Analysis Q2 2019 For broader insight into DMARC policies beyond what we observed in email traffic targeting Agari’s customer base, we analyzed 328,540,568 domains, ultimately observing 6,755,877 domains with recognizable DMARC policies attached. This constantly updated list of domains serves as the basis for trend tracking in subsequent reports. 47 About the Agari Cyber Intelligence Division (ACID)
The Agari Cyber Intelligence Division (ACID) is the only counterintelligence research team dedicated to worldwide BEC and spear phishing investigation. ACID supports Agari’s unique mission of protecting communications so that humanity prevails over evil. ACID uncovers identity deception tactics, criminal group dynamics, and relevant trends in advanced email attacks. Created by Agari in 2018, ACID helps to impact the cyber threat ecosystem and mitigate cybercrime activity by working with law enforcement and other trusted partners.
Learn more at acid.agari.com.
About Agari Agari is transforming the legacy Secure Email Gateway with its next-generation Secure Email Cloud™ powered by predictive AI. Leveraging data science and real-time intelligence from trillions of emails, the Agari Identity Graph™ detects, defends, and deters costly advanced email attacks including business email compromise, spear phishing, and account takeover. Winner of the 2018 Best Email Security Solution by SC Magazine, Agari restores trust to the inbox for government agencies, businesses, and consumers worldwide.
Learn more at www.agari.com. EMAIL FRAUD & IDENTITY DECEPTION TRENDS | EMAIL FRAUD AGARI Q2 2019
48 AGARI CYBER INTELLIGENCE DIVISION
Discover How Agari Can Improve Your Current Email View the 2020 Presidential Security Infrastructure Campaign Email Threat Index
As your last line of defense against advanced email attacks, Agari stops To see the latest information on which candidates attacks that bypass other technologies—protecting employees and customers, have implemented email security for their while also enabling incident response teams to quickly analyze and respond to campaigns, visit: www.agari.com/election2020 targeted attacks.
Visit the Agari Threat Center Get Free Trial www.agari.com/trial To see up-to-date global and sector-based DMARC trends across the Agari customer base, visit: www.agari.com/threatcenter
Calculate the ROI of Implementing Agari
To discover how much money you can save by adding Agari to your email security environment, visit: www.agari.com/roi
© 2019 Agari Data, Inc.