Q2 2019 Email Fraud and Identity Deception Trends Global Insights from the Agari Identity Graph
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
AGARI CYBER INTELLIGENCE DIVISION REPORT Q2 2019 Email Fraud and Identity Deception Trends Global Insights from the Agari Identity Graph™ © 2019 Agari Data, Inc.
Executive Summary Quarterly analysis from the Agari Cyber Intelligence Division (ACID) finds business email compromise (BEC), spear phishing, consumer-targeted brand impersonation scams, and other advanced email threats continue to evolve at a relentless pace, and could even put major US presidential candidates at risk from attacks targeting their staff and their voters as the 2020 election cycle ramps up. AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS Email Hacking: 2016 Redux, or Something Far Worse? Despite lessons learned from the hacking of Clinton campaign chairman John Podesta’s email account and subsequent release of sensitive emails on WikiLeaks, little progress has been made since the 2016 US presidential election. As the 2020 election cycle revs up, campaigns are still struggling with email security, primarily because few of the current and most prominent candidates have dedicated staff or resources to implement effective defenses. In fact, over 90% of the current presidential contenders rely on the easily-bypassed security controls built into their email platforms—almost exclusively Google Suite and Microsoft. While these controls offer basic defenses, they won’t protect against the kind of advanced email attacks likely to target campaign staff. And that’s not the only kind of email threat candidates should fear. As of April 29, ACID analysis of domain data indicates only one of the leading candidates polling over 1%—Massachusetts Senator Elizabeth Warren (D)—has a DMARC record established for their domains with a policy that would prevent the campaign or the candidate from being impersonated in emails targeting donors, voters, and others. Given the stunning success of phishing and disinformation operations during the 2016 election cycle, 2020 is surely in the crosshairs of world-class hackers, especially as more than 90% of the leading candidates remain wide open to attack. SEE MORE Q2 2019 2
Nearly 30% of BEC Attacks Now Originate from Compromised Email Accounts ACID analysis finds continued volatility in the identity deception tactics used by cybercriminal organizations behind a growing number of BEC scams. The percentage of all phishing attacks employing identity-deception tactics that use a display name intended to impersonate a trusted individual or brand has dropped to 53%, but most troubling has been the steady increase in the use of compromised email accounts. From January through March 2019, 27% of all identity-deception attacks were launched from compromised accounts. That’s an increase of nearly 30% in just 90 days, making this the second-most prevalent form of identity deception technique. Because phishing attacks launched from compromised accounts are by far the hardest to detect and disrupt, they are especially effective at defrauding the AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS rightful owners of the account—as well as targeted businesses. SEE MORE Employee-Reported Phishing Attacks Reaching SOCs Surge 25% According to the Q2 ACID Phishing Incident Response Survey of 176 SOC professionals at 325 organizations with 1,000+ employees, the number of employee reported phishing attacks climbed 25% in the past quarter—increasing the total volume of incidents corporate security operations centers (SOCs) must remediate to an average of more than 29,000 annually. During this same period, the time needed to triage, investigate, and remediate each incident rose to an average of 6.5 hours. While the number of SOC analysts increased to 14, the gap between the number of analysts needed (90) and the actual number of analysts widened. SEE MORE DMARC Adoption Rises a Tepid 1% While 90% of Fortune 500 Remains Unprotected By the end of March 2019, ACID identified 6.75 million domains with valid DMARC records out of 328 million total domains examined as part of the industry’s largest ongoing study of DMARC adoption worldwide. Germany ranks first in raw domains with established DMARC records, though the United States maintains the highest percentage of domains with DMARC records with a reject policy. Overall, domains with DMARC records rose 1%, with the rate of growth rising at a much slower pace than the previous quarter. This leaves the vast majority of the world’s most prominent companies vulnerable to email-based impersonation attacks targeting their customers, partners, and other businesses—including nearly 90% of the Fortune 500. SEE MORE Q2 2019 3
Inside this Report In this quarterly report, we examine trends in phishing and email fraud perpetrated against businesses and their customers. For the first time ever, we also begin tracking both Domain-based Message Authentication, Reporting and Conformance (DMARC) and Advanced Threat Protection adoption among presidential candidates seeking their parties’ nominations heading into next year’s 2020 US elections. This report includes a look at which campaigns may be most vulnerable to email-based impersonation scams that can damage candidates’ reputations, operational effectiveness, fundraising efforts, and even national security. AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS Also included are the results from our quarterly survey on the impact of phishing incident response in the enterprise, and the burden and cost for a security operations center (SOC) team to respond to employee-reported emails. The statistics presented here reflect information captured from the following sources from January through March 2019: • Analysis of 2020 Presidential campaign email vulnerability based on DNS and MX record information • Data extracted from the 300 million+ daily model updates by the Agari Identity Graph™ • DMARC-carrying domains identified within the 328 million+ domains crawled • Insights captured from a phishing incident survey of more than 250 cybersecurity professionals The Agari Cyber Intelligence Division (ACID) is the only counterintelligence research team dedicated to worldwide BEC and spear phishing investigation. ACID supports Agari’s mission of protecting communications so that humanity prevails over evil. The ACID team uncovers identity deception tactics, criminal group dynamics, and relevant trends in advanced email threats. Created by Agari in 2018, ACID helps to impact the cyber threat ecosystem and mitigate cybercrime activity by working with law enforcement and other trusted partners. Q2 2019 4
Table of Contents Presidential Campaign Security 2020 --Deception 2020: US Elections Under Email Attack 9 --Enemies in the Inbox: Spear Phishing Attacks Should Raise Concerns for Candidates 10 --2016 Presidential Redux—or Worse? DMARC Authentication Necessary for Voter Protection 12 AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS Employee Phishing and Business Email Compromise (BEC) --Patterns of Deceit: Attacks from Compromised Accounts Continue to Surge 16 --C-Suite Phishing Trends: High-Value Executives See Rise in Identity Deception Attacks Impersonating Individuals 18 --BEC in the Spotlight: The Use of Free Accounts, Look-alike Domains, and Personalization 19 Phishing Incident Response Trends --Incident Response Trends: SOCs See Reported Phishing Attacks Jump 25% 24 --Employee Empowerment Evolves: Organizations Change Tactics for Employee Reporting 25 --Catching Phish: How Employees Report Suspected Attacks 26 --SOC Staffing Snapshot: Headcount Needs Nearly Double in 90 Days 31 --Data Breach Economics: Risk Reductions from Automation 32 --Totaling It Up: The Cost of Manual Response vs. the Savings from Automation 34 Customer Phishing and DMARC Trends --DMARC Adoption Snapshot: The Industry’s Largest Ongoing Study of Adoption Rates Worldwide 36 --Q2 Scorecard: Vendors and DMARC Service Providers 38 --DMARC Adoption By Geography 40 --Prominent Trends Across Top Companies 41 --Large Sector Analysis: DMARC Authentication by Vertical 44 Q2 2019 --Industry Enforcement Comparison: The Agari Advantage by Vertical 45 --Brand Indicators Adoption Up 60% as More Brands Realize Its Value 46 About This Report 47 About the Agari Cyber Intelligence Division (ACID) 48 5
Key Terms A Taxonomy of Advanced Email Threats With rising levels of cybercrime posing a serious threat to individuals, businesses, and governments, it is vitally important to codify a consistent set of terms to describe the different challenges that characterize this threat landscape. Not every email scam is a “phishing attack,” for instance. AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS To address this need, ACID has established a Imposter Authentic classification system for cyber threats—a threat Sender taxonomy—that breaks down common email- Spoof Look-alike Domain Display Name Deception Compromised Account Account Owner based attacks in terms of how they are carried out and what the perpetrators aim to achieve. This Fraud Unsolicited Email Legitimate Email taxonomy will help readers understand the terms Social Engineering Spam Graymail Misconfiguration used in this report and what they mean to email Classification Scattershot Targeted security. URL Malware Con Because email fraud centers around identity deception—the impersonation of trusted senders— Internal External Recipient in order to con recipients, we start with the Employees Contractors Partners Customers method by which the impostor impersonates the trusted sender’s email account, making it Objective Monetary IP/Data/Credential Theft Denial of Service appear as if the emails the impostor is sending are originating from the trusted party. For more information about the Agari Threat Taxonomy, see agari.com/taxonomy Q2 2019 6
Leading Attack Modalities Generally speaking, we observe three primary ways in which cybercriminals impersonate an email account: LOOK-ALIKE DOMAINS AND DOMAIN SPOOFING: With look-alike domains, the cybercriminal registers a domain that is very similar to the legitimate domain he or she is seeking to impersonate. Look-alike domains are distinguished from domain spoofing, in which the attacker uses the actual email address of the impersonated identity in the “From” header—for example, “Company Customer Service.” Email authentication standards such as DMARC can be used by a domain owner to prevent spoofing of the domain, but are still not adopted AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS widely by all businesses. DISPLAY NAME DECEPTION: This happens when the cybercriminal inserts the name of the impersonated individual or brand into the “From” field within Gmail, Yahoo, or another free cloud-based email platform. These are also known as “friendly from” attacks. Imposter Authentic Sender Spoof Look-alike Domain Display Name Deception Compromised Account Account Owner Brand / Individual COMPROMISED ACCOUNT ATTACKS: The cybercriminal sends targeted requests from an account that’s already been compromised— assuming the identity and the actual email account of the impersonated individual or brand, which is the most dangerous threat of all. Different types or classes of attacks will entail different elements of this taxonomy. A business email compromise (BEC) attack, for instance, can involve an impostor who aims to impersonate a trusted individual or brand using a look-alike domain, display name deception, or in the worst cases, a compromised legitimate account, leveraging sophisticated social engineering tactics to send highly personalized attacks. Impersonated individuals may be executives within the target’s own company, or an Q2 2019 outside vendor or partner company. A BEC attack is targeted and uses a con with no URL or attachment. By comparison, a phishing attack may use any identity deception technique and send more broad-based messages meant to fool someone into clicking on a malicious link that captures their username and password. When attacking businesses, display name deception is typically the tactic of choice for cybercriminals seeking to impersonate the email account of a trusted individual or brand. 7
Presidential Campaign Security 2020 Protecting the United States Election From Nation-State Attacks AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS Q2 2019 8
Deception 2020 US Elections Under Email Attack Initial findings show that major US presidential candidates are vulnerable both to phishing attacks against staff and to email scams impersonating their campaigns. This must be remedied as we move closer to the election, AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS especially as cybercriminals and nation-state actors seek to derail candidates, defraud voters, and undermine democracy itself. In the aftermath of the 2016 US presidential election and the hacking of Clinton campaign chairman John Podesta’s email account, email security has become a critical issue as the 2020 election cycle revs up. It was only three years ago that Podesta was fooled by what appeared to be an “account alert” from his email provider, Google. The malicious link, and the resulting leak of damaging campaign emails on WikiLeaks helped derail Clinton’s bid for the presidency. Fast-forward to 2019, and little has changed. Campaigns are still struggling with email security, primarily because very few candidates have dedicated staff or resources to implement critical email security defenses. The Department of Homeland Security offers training, but it tends to be designed for large federal agencies rather than the frenetic, on-the-fly campaign operations that are just starting to rev up for the primaries. In fact, with the 2020 election cycle now underway, over 90% of the current presidential contenders Q2 2019 rely on the easily-bypassed security controls that are built into their email platforms—almost exclusively Gmail and Microsoft Office 365. And while these security features provide basic protection, they are not enough to stop the advanced email attacks that are likely to target prominent candidates in the run-up to the election. Perhaps even more troubling, only one presidential candidate polling over 1% has implemented the DMARC policy needed to keep fraudulent email purporting to come from the campaign or the candidate themselves out of voter inboxes. The information here was collected on April 29, 2019. For an up-to-date status on top candidates, see agari.com/election2020 9
Enemies in the Inbox Spear Phishing Attacks Should Raise Concerns for Candidates While the security controls of most webmail platform providers have grown adept at ferreting out malicious links and malware, they are powerless on their own against advanced, identity-based phishing attacks, and cybercriminals are taking advantage. Instead of relying solely on the kind of spear phishing AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS approach used on Podesta, these operatives are now launching highly personalized, socially-engineered email messages designed to manipulate recipients into revealing sensitive information or login credentials before thinking to confirm the message’s legitimacy. Advanced Email Security Is a Necessity for Serious Candidates To be sure, some attacks may still include “Past Due” or “Password Change Required”-style alerts designed to harvest email login credentials. But others may involve an “urgent request” from a trusted advisor, outside firm, or a senior campaign official asking the recipient to pay a vendor or forward confidential polling data or campaign information. Fortunately,Email much of this can be stopped by advanced email security Gateways controls that overlay on top of Microsoft Office or Gmail to stop advanced attacks like business email compromise, spear phishing, and others. Despite the ease of implementing advanced email protection, the Agari 3% Third-Party 17% Third-Party Cyber Intelligence Division finds 6% Microsoft Advanced Email Advanced Email O365 or EOL Security Provider Security Provider that only 3% of the current crop of US presidential candidates with an All Candidates 9% Microsoft email-receiving domain or campaign O365 or EOL >1% Polling with Website website have implemented a solution to stop advanced threats. Q2 2019 91% Unknown/ On-Premises Gateway 74% Google 10
A vast majority of candidates are relying on the basic controls built into their cloud-based email platform. All this means is that these candidates are open to attack in the form of phishing and account takeovers—threats that could derail an entire campaign, smear a presidential candidate, and turn the wave of support against a leading presidential contender. AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS Leading Candidates Are at Risk for Attack Of the candidates polling over 1%, according to data from Real Clear Politics, the situation is not much better. One two candidates— Massachusetts Senator Elizabeth Warren and Former Massachusetts Governor Bill Weld—have put an advanced security solution in place to protect their staff from the email threats that could cause major headaches should they be successful. Let’s hope more join them. Even with heavy investments on security and employee phishing training, 96% of corporate data breaches begin with an email, with more than 4,000 records are stolen every single minute. With these numbers, imagine what these criminals could do to a presidential bid. The rapidly-evolving nature of campaign operations and their ad hoc ecosystem of advisors, pollsters, policy analysts, and other members of a candidate’s braintrust make them easy targets for world-class hackers—both foreign and domestic. As the race heats up and the press focuses more on our top contenders, so will nation-state actors who want to target the 2020 election and the United States democracy. Q2 2019 And unfortunately, these are not the only types of email threats that candidates should fear. 11
2016 Presidential Redux—or Worse? DMARC Authentication Necessary for Voter Protection The fact is, there is another email-based threat that could pose a far graver danger to candidates and to our electoral system itself. For US congressional and presidential candidates with domains unprotected by the DMARC email authentication protocol, they risk finding their campaigns impersonated in AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS phishing attacks targeting not their staff, but rather their most important constituents—including voters, donors, the press, and more. In 2017, the US Department of Homeland Security issued BOD 18-01, a directive requiring all executive branch agencies to adopt DMARC with its top enforcement policy in order to address this same issue. DMARC helps ensure only authorized parties can send emails on an agency’s behalf, preventing agencies or individuals from that agency from being impersonated in attacks targeting other agencies, government officials, citizens, media outlets, foreign allies, and more. To its credit, the US executive branch is now one of the leading industry verticals in the adoption of DMARC. But so far at least, no such directive has been set for the federal government’s legislative or judicial branches, let alone for the chaotic operations of congressional and presidential election campaigns. Mission: Impersonate Given the stunning success of phishing and disinformation operations during the 2016 election cycle, 2020 is surely in the crosshairs of highly-networked cybercriminal organizations, some of them foreign adversaries, with access to all the same donor and voter data so critical to campaign success. What happens if candidates for the highest office in the land are impersonated in phishing attacks targeting voters, donors, or the domestic Q2 2019 or foreign press? What kind of fraudulent statements or mischaracterized policy positions could be attributed to these candidates and emailed to rival campaigns, the media, and key voters—including independents in battleground states? 12
And what happens when the negative publicity from such attacks leads these and other constituents to avoid opening a campaign’s legitimate email messages, including those focused on fundraising? Because email marketing has an average ROI of $38 for every $1 spent, impersonation attacks that hobble the email channel can quickly crush a candidate’s reputation, their fundraising ability, and their electoral viability. For these reasons and more, DMARC implementation should be the absolute baseline for email security for every campaign. DMARC Adoption in the Danger Zone for Most Candidates When implemented correctly, DMARC authentication at its highest level is the single most important element in stopping attacks that pose AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS as trusted brands or individuals—including political candidates and their campaigns. 1% Protected 8% Protected All Candidates >1% Polling with Website 99% Not Protected 92% Not Protected In late March, CNN reported that the Democratic National Committee held an online seminar to show campaigns how to implement DMARC. But as of April 29, our analysis of domain data indicates only one of the campaigns with polling averages above 1% have DMARC records established for their domains with a policy that would block phishing emails. This means 99% of all US presidential candidates and 92% of the top candidates are vulnerable to email-based impersonation attacks targeting their constituents and others. Q2 2019 13
Leading Candidates Remain Vulnerable to Attacks Out of all candidates with polling averages above 1%, only five have DMARC records assigned to their domain. These include: • Massachusetts Senator Elizabeth Warren (D) • New Jersey Senator Cory Booker (D) • Former Secretary of Housing and Urban Development Julian Castro (D) AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS • Minnesota Senator Amy Klobuchar (D) • Current President Donald J. Trump (R) But only Warren has a p=reject policy to stop unauthenticated emails from being delivered. Because a DMARC record does not prevent illegitimate mail from entering the inbox until the policy is set to p=reject, every other major candidate i still vulnerable to email-based impersonation—including current President Trump. As such, voters should be wary of any email purporting to come from a candidate other than Elizabeth Warren. No other candidates have implemented the protocols necessary to keep fake email out of voter inboxes—a fact that should be remediated sooner rather than later to ensure voter trust throughout the election process. Q2 2019 14
Employee Phishing and Business Email Compromise (BEC) AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS An unfortunate increase of 35% means that 27% of advanced email attacks spawn from compromised accounts of trusted individuals and brands. When targeting execs and high-value employees, attackers moved decisively to impersonating specific KEY FINDINGS individuals in 37% of all email attacks, versus previous trends of impersonating common brands. As a sign of growing sophistication and targeting inherent to BEC attacks, 20% Q2 2019 of deceptive emails observed were personalized to include the name of the recipient in order to make them seem more legitimate. 15
Patterns of Deceit Attacks from Compromised Accounts Continue to Surge More than a quarter of advanced email attacks are now launched from the compromised accounts of trusted individuals and brands—up 26% in just ninety days. AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS ‘From’ Line Fraudsters: Identity Deception Tactics are Evolving Fast Today, 53% of all phishing attacks employing identity-deception tactics use a display name intended to impersonate a trusted individual or brand in order to defraud an outside supplier, a customer, or other businesses—down from 63% in the previous quarter. In most cases, attackers favor impersonating trusted brands at 34% over individuals at 19% of all attacks. But while both of these tactics attempt to deceive a recipient by impersonating a known entity, the purpose is typically very different for each. Generally speaking, malicious emails that impersonate trusted brands are associated with credentials-harvesting attacks, while phishing emails spoofing specific individuals are typically linked to socially-engineered, recipient response-oriented attacks such as BEC or executive spoof scams. 20% Look-alike Domain From: LinkedIn To: Jan Bird 34% Subject: Diana has endorsed you! Display Name Deception (Brand) Advanced From: Chase Support To: Tom Frost Attacks Subject: Account Disabled by Imposter Type Q2 2019 27% Compromised Account From: Raymond Lim 19% To: Cong Ho Display Name Deception (Individual) Subject: PO 382313 From: Patrick Peterson 16 To: Cong Ho Subject: Follow up on Invoice Payment
The thing that is most notable this quarter is the continued increase in the use of compromised email accounts. From January through March 2019, 27% of all identity-deception attacks were launched from the compromised email account of a trusted individual or brand. That’s up from 20% in just three months, making this the second-most frequent type of identity-deception technique. Legitimate email accounts that have been taken over by scammers can be a crushingly effective way to distribute phishing emails because they are, in a sense, trusted—allowing them to bypass mail filters more easily. The impact of this attack type cannot be overstated. AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS Attacks launched from compromised email accounts are by far the hardest to detect and disrupt, making them a serious vulnerability for the account’s legitimate owner and the companies involved. Indeed, a successful account takeover does not just give fraudsters the ability to impersonate the account’s owner. It also gives them access to the individual’s contacts, ongoing email conversations, and historical email archives—making it possible to craft new scams made all the more galling by their extraordinary personalization and crushing effectiveness. Meanwhile, the remaining 20% of identity-deception emails use look-alike domains to send malicious content. While some of these domains can be simply spoofed and sent using basic mailing tools, many are actual domains registered by phishing threat actors. Q2 2019 17
C-Suite Phishing Trends High-Value Executives See Rise in Identity Deception Attacks Impersonating Individuals During the first quarter of 2019, display name deception used to impersonate specific individuals was AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS used in 37% of all email attacks targeting senior executives, compared to just 19% in overall malicious email campaigns. The distribution of tactics used in phishing attacks diverges significantly from those used when targeting other employees. During the first quarter, display name deception used to impersonate specific individuals, the least common tactic among malicious emails overall, was used in the majority of phishing emails targeting the high-level executives. This dichotomy is driven by BEC scams that target CFOs and other financial executives with malicious emails appearing to be sent from an executive like the CEO, making this one of the most pernicious cyberthreats facing the enterprise. Compromised account-based phishing scams, 15% which are the second-most common email attack Look-alike Domain method overall, are rarely used when targeting From: LinkedIn To: Jan Bird 36% senior executives, representing just 12% of attacks Subject: Diana has endorsed you! Display Name Deception (Brand) in the first quarter of 2019. Identity From: Chase Support Deception To: Tom Frost Attacks Subject: Account Disabled by Attack Category 12% Compromised Account From: Raymond Lim Q2 2019 To: Cong Ho Subject: PO 382313 37% Display Name Deception (Individual) From: Patrick Peterson To: Cong Ho Subject: Follow up on Invoice Payment 18 For more information on how cybercriminals target the C-level, see agari.com/londonblue
BEC in the Spotlight The Use of Free Accounts, Look-alike Domains, and Personalization This past quarter, the Agari Cyber Intelligence Division took an in-depth look at the tactics used by threat actors in BEC campaigns, one of the costliest forms of phishing attacks businesses face today. AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS 67% of Attacks are Launched from Free Top Ten Email Providers Used to Send BEC Emails Webmail Accounts What makes today’s BEC campaigns so dangerous is that they Roadrunner 15.3% 1 6 Cox 2.0% can exact eye-popping returns with very little effort or overhead. AOL 12.8% 2 7 Mailbox.org 1.3% Because emails used in these attacks do not contain malicious links or payloads, they easily bypass most common security controls in Gmail 10.4% 3 8 Earthlink 1.2% use today. Lycos 4.1% 4 9 Inbox.Iv 1.2% And in the vast majority of cases, BEC attackers use free and Naver 2.1% 5 10 TWC 1.0% temporary email accounts to launch their campaigns. In fact, our data shows that two-thirds (67%) of BEC emails are sent from an easily-acquired webmail account. In the first quarter of this year, the most commonly used email provider in these attacks was Roadrunner (rr.com), accounting for 15% of all BEC campaigns. AOL and Gmail ranked as the second and third most commonly used webmail providers for creating accounts used to send BEC phishing emails. Q2 2019 19
The Advantages of Look-alike Domains in BEC Scams Twenty-eight percent of BEC campaigns in the first quarter were sent from email accounts hosted on a domain registered by the attacker. While there is usually a cost associated with registering a domain, the ability to create a more authentic-looking email address for use in attacks is worth the price for some. Meanwhile, compromised email accounts belonging to other individuals or brands accounted for the remaining 5% of BEC attacks. AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS Regardless of the point of origin, the display name used in these attacks is almost always changed to impersonate a senior executive at target organizations. 5% Compromised Most Common Point-of-Origin 67% for BEC Scams Webmail 28% Registered Q2 2019 20
Top 10 Subject Lines for Business Email Compromise Scams Curious what a business email compromise scam actually looks like? In most cases, the initial email in a BEC attack is very brief and designed to elicit a response from a targeted recipient. Similarly, the subject lines of BEC emails are frequently very generic, so as not to arouse suspicion. But they nearly always contain specific keywords meant to generate urgency. AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS In fact, 1 in 4 BEC emails observed over the past three months contained one of three words in the subject line: Quick, Request, or Urgent. Top Ten Most Common Subject Lines in BEC Emails (Q1 2019) Request 7.6% 1 6 Payroll 2.1% [FIRST NAME] 7.2% 2 7 quick task 2.1% Task 3.7% 3 8 [FIRST/LAST NAME] 1.9% Hello [FIRST NAME] 3.5% 4 9 Direct Deposit 1.7% Hi [FIRST NAME] 2.5% 5 10 Available? 1.5% Q2 2019 21
A Growing Number of BEC Emails are Personalized Today, 20% of BEC emails are personalized to include the name of the recipient in order to make them seem more legitimate. Rather than receiving a completely generic message, referencing the target’s name serves to lower a recipient’s defenses and lessen the likelihood they’ll recognize the scam. Personalization also demonstrates the level of reconnaissance some cybercriminal organizations conduct prior to launching their malicious campaigns. AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS Instead of simply scraping email addresses from company websites, some BEC groups curate target lists of specific financial executives for use in crafting these personalized messages. Our previous research has shown that many BEC groups use legitimate commercial services to construct tailored queries and collect comprehensive contact information for financial executives around the world. 20% Personalized Subject: Hello Personalization vs. Hello Non-Personalization I am planning a surprise for some of in BEC Attacks the staffs with gift cards and your confidentiality would be appreciated in order not to ruin the surprise. 80% I need you to get some purchase done, email me once you get this. Non-Personalized Vice President of Marketing at Agari Subject: Hello Sent from a Mobile Device Hi Q2 2019 Are you in your office? Send me a quick reply if you are free. Thanks 22
Phishing Incident Response Trends AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS Employees report an average of 29,028 phishing incidents to the security operations center each year per organization—a 25% increase in just 90 days. KEY FINDINGS The average time it takes to triage, investigate, and remediate reported phishing incidents jumped to 6.5 hours, a 35% increase in one quarter. Costs for the security Q2 2019 operations center to triage, investigate, and remediate employee reported phishing nearly doubled—exceeding $8.1 million. 23
Incident Response Trends SOCs See Reported Phishing Attacks Jump 25% In today’s threat environment, there is no possible way to completely remove the risk that an employee will fall for a phishing email designed to defraud the company or steal sensitive information as part of a data breach. During the first quarter of 2019, the time required for security operations centers (SOCs) AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS to respond to employee-reported phishing attacks spiked 32% in just 90 days. For US-based companies, this matters—a lot. Today, the average cost of a breach is approaching $8 million, and the probability of falling victim to a breach is now 14% per year, according to Ponemon Institute. And it’s getting worse, in part because of the very mechanism businesses are putting in place to mitigate the issue. The Unexpected Consequences of Employee-Reported Phishing Attacks In addition to security awareness training and phishing simulations, the vast majority of businesses have provided employees with the ability to report suspected phishing emails. It is critical to understand how to leverage this threat feed to discover and contain breaches before data is exfiltrated. All too often, employee-reported phishing emails end up flooding SOCs with more incidents to triage, investigate, and remediate than they can handle. As a result, it has become critically important for businesses to find ways to streamline and automate these processes. Otherwise, the time it takes to discover and resolve breaches will only grow longer—while valuable data, intellectual IP, and other important business information is exfiltrated by cybercriminals. Inside the ACID Phishing Incident Response Survey Every quarter, ACID surveys SOC professionals at 280 organizations ranging in size from 1,000 employees to 209,000 employees in order to get a Q2 2019 read on incident response issues. This quarter’s survey participants include 176 respondents based in the United States, and 84 in the United Kingdom. The survey asks a series of questions regarding employee-reported phishing—including reporting mechanism, volume, false positive rate, existing tools for phishing incident response, and time required to investigate phishing. This section of the Q2 2019 Email Fraud and Identity Trends report highlights analysis of the responses to these questions. 24
Employee Empowerment Evolves Organizations Change Tactics for Employee Reporting Ninety-five percent of this quarter’s survey respondents report employees in their organizations have the ability to report phishing attacks, often via a convenient button and/or abuse inbox for forwarding suspicious messages to the security team. AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS While this is down 3% quarter-over-quarter, a growing number of organizations are adopting phishing simulations to test employees’ ability to detect a phishing incident after participating in security awareness training. A full 92% of this quarter’s survey respondents report their organizations use such simulations, up 4% from the previous quarter. In most cases, these simulations are implemented via an outside vendor to provide an objective assessment of security vulnerabilities. Training Employees to Report Phishing 5% 8% No Ability to Report No Ability to Phishing Report Simulation Phishing Adoption Q2 2019 95% 92% Ability to Report Phishing Yes 25
Catching Phish How Employees Report Suspected Attacks Most companies offer multiple reporting methods, including filing a help desk trouble ticket, using the native email client phishing button, or implementing a third-party client such as the KnowBe4 phishing button. But today, the most common mechanism available to employees to report phishing is an abuse@company.com inbox. AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS Whether the phishing incident is reported through an inbox or a phishing button, the phishing email itself is forwarded to some combination of a security operations center or help desk support center, for investigation and remediation. In some cases, the mail platform (Microsoft Office 365 or Gmail) or phishing simulation vendor also receives a copy of the reported phishing messages. Employee Options to Report Phishing (Global) 70 63% 58% 60 50 45% 40 37% 30 20 Q2 2019 10 5% 0% 0 Forward to Contact Email Client Email Client No Ability Other Abuse Email Help Desk (Native) (Third-Party to Report Address Directly Vendor) 26
Employee-Reported Incidents: Volume and Accuracy With so much empowerment, training, and testing designed to help employees recognize and report phishing incidents, just how many suspected attacks are reported? What about accuracy? Based on the results to this quarter’s survey, respondents report roughly 29,028 phishing incidents per organization on an annual basis, with a slightly lower number of phishing incidents in UK-based companies. AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS Volume Per Organization of Phishing Incidents Average Number of Reported Phishing Incidents Distribution of Annual Reported Phishing Incidents (Global) Per Organization Annually 30000 30% 30% 25000 25% 26% 20000 20% 20% 19% 15000 15% 10000 10% 5000 5% 6% 0 0% US UK Global 60000 Q1 Q2 Q2 2019 In all, 56% of respondents reported a number of phishing incidents ranging from 12,000 to 36,000 per year. 27
Employee-Reported Incidents: False Positive Rate Rises 10% The emails employee report are not always true phishing incidents. Security training often encourages users to report any suspicious email. As a result, spam, unwanted marketing emails, as well as legitimate email messages are often reported as phishing—even when they are not. In the first quarter of 2019, the false positive rate for employee-reported phishing incidents climbed 10% on a global basis. In the United States, the rate rose from 49% to 56%, while the United Kingdom saw a 3% decline over ninety days. AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS Employee-Reported Phishing False Positive Rate Employee Reported Phishing False Positive Rate 60% 30% 55% 56% 50% 26% 52% 40% 30% 20% 10% 0% Global US UK Q2 2019 28
Time Required for Triage, Investigation, Forensics, and Remediation Reports Alerts Incidents AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS Phish Reporting SOC Triage Forensic Analysis Forensic Incident Incident Remediation Remediation Employees Employeesreport report SOC SOChandles handlesreports, reports, SOC Analyst SOC Analyst SOCSOC works withwith works suspect suspect message message using using filtering out filtering obvious out obvious determines levellevel determines Messaging Messagingtotoaddress address phish phish buttonbutton false false positives positives of impact of impact incidents incidents PROBLEM: PROBLEM: PROBLEM: PROBLEM: Employee reports are The tools & workflow Understanding level of Remediation often Eachnoisy and phishing quarter’s survey participants are for managing asked: these For employee impact phishing reports, how involves usingon average doesinvolves much time it take amultiple SOC analyst to training makes the reports are crude and lots of cutting & triage, investigate, and remediate?” both in terms of true phishing incidents and false positive reports. groups and there isn’t problem worse for inefficient—often just pasting across multiple effective data sharing the SOC an Outlook mailbox forensic tools between them 40 ©2019 Agari Data, Inc. All rights reserved. Confidential and Proprietary. Q2 2019 29
Response Times Climbing Fast On a global basis, the overall average across all phishing incidents is now 6.5 hours to triage, investigate, and remediate. That number is up 32% from 4.9 hours in the course of ninety days. In the United States, the rate is up 1.86 hours, while in the United Kingdom, the rate is up by nearly a full hour. On average, SOC analysts now spend 5.58 hours triaging a false positive, compared to 3.96 hours in the previous quarter. And they spend an average 6.64 hours triaging, investigating, and remediating a valid phish—an increase of .76 hours during the same time period. AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS Average Time per Phishing Incident to Triage. Investigate, and Remediate Average Time Per Phishing Incident to Triage, Investigate, and Remediate 8 7 7.20 6.64 6 True Phish 5.78 5 5.58 5.45 5.16 False Positive Hours 4 3 2 1 0 Global US UK The triage process generally involves a quick investigation of the sender domain and address, included links, and attachments to determine Q2 2019 if the message is potentially malicious. This process is often manual, requires multiple third-party tools, and involves the judgement of the analyst—something that is not always 100% reliable. 30
SOC Staffing Snapshot Headcount Needs Nearly Double in 90 Days In the face of this continuous barrage of phishing incidents, the Average Avg. Number Number of SOC of SOC Analysts Analysts Employed Employed average number of SOC analysts per organization hit 14.6 in the first quarter of 2019—up from 12.5 quarter-on-quarter. 20 30% AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS 55% More than 90% of organizations report having at least one dedicated SOC analyst. Not surprisingly, the analysis showed a 15 15.9 14.6 strong correlation between company size, the number of phishing # of Analysts incidents, and the number of SOC employees. 12.0 10 For example, 41% of organizations with more than 10,000 employees have 20 or more SOC analysts. The same is true of organizations with 60,000 or more phishing incidents per year. 5 The Q2 Staffing Gap 0 Based on the average number of phishing incidents and the average Global US UK time to remediation (6.5 hours), the average SOC needs 90 analysts to handle the number of phishing incidents per company. Given that the average number of SOC analysts in our survey is 14.6, there is a widening staffing gap of at least 76 full-time equivalents (FTEs). This gap currently results in organizations failing to detect phishing incidents, which opens each organization to the possibility of breaches or fraud. Q2 2019 31
Data Breach Economics Risk Reductions from Automation Today, the entry point for 96% of all data breaches is well-targeted email, according to the 2018 Verizon Data Breach Investigations Report (DBIR). The average cost of a data breach in the United States is now $7.9 million, and organizations face an average 14% probability of suffering a breach within the next year, according to Ponemon Institute. If you multiply the average breach cost of $7.9 million by the AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS probability of 14%, the annual breach risk is $1.1 million. 60% 40% Discovery 20% Exfiltration 0% Seconds Minutes Hours Days Weeks Months Years Source: 2018 Verizon DBIR Meanwhile, the Verizon DBIR finds that the average data breach results in exfiltration of data within minutes or hours—while the average time-to-discovery takes months. This is likely a symptom of understaffed and inefficient SOC processes for handling phishing incidents. Ideally, SOC analysts would be able to triage, investigate, and remediate reported phishing incidents within minutes, enabling the business to remediate the compromise and contain the breach. Q2 2019 32
Q2 Automation Index As part of our quarterly phishing incident response survey, we asked respondents how much reducing the response time required for phishing incident response would reduce their breach risk. Overall, this quarter’s respondents felt their business could reduce breach risk by an average 51% by automating the process of phishing incident response. In the United States, that figure rose 2% from the previous quarter, to an average 53% reduction in breach risk, while in the United Kingdom, estimates dropped 3% during the same period, to an average 45% reduction. AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS On a global basis, a 51% reduction in breach risk would result in a $561,025 decrease in annual breach risk for the average business. Risk Reduction Due to Automated Phishing Risk Reduction Due to Incident Response Automated Phishing Incident Response 60% 30% 50% 26% 53% 51% 45% 40% 30% 20% 10% 0% Q2 2019 Global US UK 33
Totaling It Up The Cost of Manual Response vs. the Savings from Automation Based on the data captured in this quarter’s phishing incident response survey, it’s possible to establish the variables needed to estimate the cost of manually handling phishing incidents, average breach risk, and the potential cost savings of automating the process. AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS 6.5 Hours per Phishing Incident x 29,000 Incidents = 188,500 Hours of SOC Analyst Time SOC ANALYST COSTS 188,500 Hours ÷ 2080 FTE Hours per Year = 90 FTEs 90 FTEs x $90,000 per FTE = $8.1M SOC ANALYST SAVINGS $8.1M – 90% SOC Time Savings = $7.29M Savings BREACH RISK $7.9M Average Breach Loss x 14% Probability of Breach = $1.1 M Breach Risk REDUCTION $1.1 M Breach Risk – 51% Risk Reduction = $561,000 Breach Risk Reduction TOTAL SAVINGS $7.29M SOC Analyst Time Savings + $561,000 Breach Risk Reduction = $7.85M Total Savings To calculate a custom ROI for your organization, visit agari.com/roi Using averages for all variables, the detailed calculations above show a total annual cost to the SOC of $8.1 million and an average annual breach risk of $1.1 million—for a total cost $9.2 million per company. By implementing automated phishing incident response processes that Q2 2019 reduce the time to triage, investigate, and remediate phishing incidents by 90%, and the time to discover and remediate data breaches by up to 51%, organizations could save $7.29 million in SOC costs and $561,000 in breach risk—for a total savings of $7.85 million. 34
Customer Phishing and DMARC Trends AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS By the end of March, ACID identified 6.75 million domains with valid DMARC records, up roughly 1% KEY FINDINGS quarter-over-quarter. Germany is the #1 region responsible for raw domains with DMARC records, though the United States took the top prize for the percentage of domains at a reject policy. Q2 2019 Only 25% of domains are configured to send email, with DMARC settings on the vast majority set to monitor-only. 35
DMARC Adoption Snapshot The Industry’s Largest Ongoing Study of Adoption Rates Worldwide Domain-based Message Authentication, Reporting and Conformance (DMARC) is an open standard email authentication protocol that helps businesses protect their brands and domains from being used to send fraudulent phishing emails. In a snapshot of more than 328 million Internet domains—the largest of any AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS industry survey—we break down the state of DMARC implementation worldwide from January 1 through March 31, 2019. Take Control of Your Domains Domains with DMARC Policies DMARC gives brands control over who is allowed to send emails on their behalf. It enables email receiver systems to recognize when an 8,000,000 email isn’t coming from a specific brand’s approved domains, and gives the brand the ability to tell the email receiver systems what to 7,000,000 do with those unauthenticated email messages. 6,000,000 Failing to implement DMARC at p=reject results in an easily identifiable 5,000,000 vulnerability. Cybercriminals often spoof domains in order to send large volumes of phishing attacks targeting the domain owner’s 4,000,000 customers and partners. The ripple effect can be significant. The domain may suffer reputational damage, resulting in being 3,000,000 blacklisted by some receiver infrastructures, or experience reduced deliverability rates for legitimate email, hurting email-based revenue 2,000,000 streams. The effects may first show up in complaints that outgoing Q2 2019 emails aren’t reaching recipients, often bouncing or being filtered by 1,000,000 spam filters. 0 Aug 2017 Sept 2018 Dec 2018 Mar 2019 For more information on DMARC and the benefits of adoption, visit agari.com/dmarc-guide Monitor (p=none) Quarantine Block (p=reject) 36
Brands looking to deploy DMARC are advised to start with DMARC p=none and work up to p=reject through a well-defined DMARC implementation plan. When enforcement policies are set properly, DMARC has been shown to drive down phishing rates impersonating brands to near zero. The Picture Grows Sharper By crawling the entire public Internet domain space representing over 328 million domains, ACID was able to generate its latest snapshot of DMARC implementation rates worldwide from January through March 2019. Overall, there was continued growth in the DMARC adoption AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS rate, but at a much slower pace than the previous quarter. Q2 2019 37
Q2 Scorecard Vendors and DMARC Service Providers Each quarter, we assess how vendors and DMARC service providers are helping organizations use DMARC to protect their domains from email impersonation scams. The size of our dataset offers an unprecedented view into the number of domains for which vendors have established DMARC records, AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS as well as how many of those records have been set to the highest enforcement level of p=reject. This combination of data points offers a snapshot of market share and success rates for each of these vendors. How the Scorecard Works As a shorthand to determining a market share figure, we tabulated the number of times specific, well-known DMARC implementation vendors were specified as a recipient of reporting feedback via DMARC. The “rua” field that accepts an email address to receive aggregate DMARC data reports is a good proxy for this calculation. With this email address, the DMARC vendor typically accepts, parses, and visualizes the data on behalf of the customer. We included active vendors with more than 1,000 domains reported. Q2 Vendor Rankings by Total Share of Domains and Percentage of Domains with Reject Policies The chart shown on the next page provides a basic ranking of top vendors, corresponding to the number of domains that specify that particular vendor in the “rua” field. We then apply a second filter indicating the all-important percentage of domains at the highest possible DMARC enforcement policy setting of p=reject for each vendor, which is the policy level that will block phishing messages. Quarter-over-quarter, there was some movement in overall vendor rankings, with slight improvements for some second tier vendors in terms of the total percentage of domains with DMARC set at its top enforcement level. Q2 2019 38
Assessing Vendor Attributes THE SWEET SPOT: Category-leading vendors achieve that perfect combination of a large number of domains serviced across a wide range of industries matched with high levels of top enforcement policy implementation. Finding a company that has high marks in both is essential for those organizations looking to see success with DMARC implementation. HIGHER QUANTITIES CAN SEE LOWER ENFORCEMENT: The “Goldilocks” ratio can be harder to achieve for mid-tier vendors, which tend to struggle with the ratio of domains they service and what percentage of those records they succeed at converting to the highest AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS enforcement policies. Category leaders with high numbers of enterprise clients can face this challenge as well, as it is harder to have more enterprise domains set to reject. QUALITY VARIES WILDLY: About 315,000 of the domains that deployed DMARC are using a recognized DMARC provider, and about 6 million domains have DMARC deployed without using a major DMARC service provider. When selecting a vendor, enterprises with hundreds or thousands of domains should consider vendors that have both high numbers of domains and a high-percentage enforcement rate in order to better ensure success. DMARC DMARCPolicy Observations Policy Observances OverOver Q1 2019 Q2 2019 150000 100% 90% 120000 80% Domains Managed # Domains Managed 70% % Reject Policy Domains w/ Reject Policy 90000 60% 50% 60000 40% 30% Q2 2019 30000 20% 10% 0 0% r ks ze p an ox nt l ok or Agari p ai ly oi ka ci lb iM w 0 na fp ar o 25 ar et l Va A To oo m 39 m N C X D st Pr a R M ud Po A M c ra D ar B
DMARC Adoption By Geography As a new feature to the quarterly trends report, ACID is looking at the state of DMARC adoption by key geographies. As measured by domains for which a country code can be validated, this data encompasses roughly 50% of our total pool of analyzed domains worldwide. AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS Germany Ahead in DMARC Records, United States in Enforcement According to our analysis, Germany leads all survey geographies in registered domains with established DMARC records, accounting for nearly a sixth of the world’s DMARC records overall, and the vast majority of domains for which a country code can be correlated. Predictably, given the total volume, Top DMARC Overall Top 5 P Value = None Germany also ranks highest in established 1,200,000 DMARC records at the default monitor- DE only setting. As mentioned earlier, this US could reflect a high number of domains 1,000,000 NL that are automatically assigned DMARC FR records by registrars, even when a large 800,000 ES percentage of those domains may never 0 1M 2M 3M 4M be used to send email. 600,000 Top 5 P Value = Reject Data for the United States paints a 400,000 US different picture. While it ranks a distant NL second in the total number of country- DE 200,000 coded domains assigned DMARC records, IE it is number one in DMARC records with an GB Q2 2019 established p=reject enforcement policy. 0 DE US NL ES FR GB RU IE TR PL 0 100K 200K 300K 400K 500K According to industry studies, the United States is the most heavily-targeted nation by cybercriminals, which may help to explain this discrepancy. 40
Prominent Trends Across Top Companies Our quarterly assessment of publicly available adoption data for the Fortune 500, Financial Times Stock Exchange 100 (FTSE 100), and Australian Securities Exchange 100 (ASX 100), highlighting trends among prominent organizations across geographies. AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS Fortune 500 The Fortune 500 is an annual list compiled and published by Fortune magazine that ranks 500 of the largest United States corporations by total revenue for their respective fiscal years. The list includes publicly held companies, along with privately held companies for which revenues are publicly available. It is a good indicator for how security is trending amongst large companies. During the first quarter of the year, DMARC adoption remained Fortune 500 DMARC Adoption tepid, with the largest corporations continuing to implement email authentication at a measured pace. Even for those that have 3% 7% 10% 11% 100 assigned DMARC records to their domains, the sizable proportion Reject of “no record” and “monitor-only” policies dramatically increases the likelihood of the organization being impersonated in phishing 80 Quarantine campaigns targeting their customers and other consumers and 23% businesses. But there has been progress. 60 33% None DMARC Adoption – Just over 40% of the Fortune 500 with DMARC records assigned to domains have yet to publish an enforcement 39% No Record 42% policy. Nonetheless, this is up nearly 5% from December 2018. 40 Quarantine Policy – Over 5% have implemented a quarantine policy Q2 2019 to send phishing emails to the spam folder, in line with the previous 20 quarter. 73% 59% 46% 42% Reject Policy – Just over 1 in 10 have implemented a reject policy to 0 Aug 2017 Sept 2018 Dec 2018 Mar 2019 block phishing attempts impersonating their brands. While relatively low, that’s up roughly 8% from December 2018. 41
You can also read