Q2 2019 Email Fraud and Identity Deception Trends Global Insights from the Agari Identity Graph

Page created by Stephanie Hill
 
CONTINUE READING
AGARI CYBER
                    INTELLIGENCE DIVISION

REPORT

Q2 2019
Email Fraud and Identity Deception Trends
Global Insights from the Agari Identity Graph™

                                                 © 2019 Agari Data, Inc.
Executive Summary
Quarterly analysis from the Agari Cyber Intelligence Division (ACID) finds business email compromise
(BEC), spear phishing, consumer-targeted brand impersonation scams, and other advanced email
threats continue to evolve at a relentless pace, and could even put major US presidential candidates at
risk from attacks targeting their staff and their voters as the 2020 election cycle ramps up.

                                                                                                                                              AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Email Hacking: 2016 Redux, or Something Far Worse?
Despite lessons learned from the hacking of Clinton campaign chairman John Podesta’s email account and subsequent release of sensitive
emails on WikiLeaks, little progress has been made since the 2016 US presidential election. As the 2020 election cycle revs up, campaigns
are still struggling with email security, primarily because few of the current and most prominent candidates have dedicated staff or
resources to implement effective defenses. In fact, over 90% of the current presidential contenders rely on the easily-bypassed security
controls built into their email platforms—almost exclusively Google Suite and Microsoft. While these controls offer basic defenses, they
won’t protect against the kind of advanced email attacks likely to target campaign staff.

And that’s not the only kind of email threat candidates should fear. As of April 29, ACID analysis of domain data indicates only one of the
leading candidates polling over 1%—Massachusetts Senator Elizabeth Warren (D)—has a DMARC record established for their domains with a
policy that would prevent the campaign or the candidate from being impersonated in emails targeting donors, voters, and others. Given the
stunning success of phishing and disinformation operations during the 2016 election cycle, 2020 is surely in the crosshairs of world-class
hackers, especially as more than 90% of the leading candidates remain wide open to attack. SEE MORE

                                                                                                                                              Q2 2019
                                                                                                                                                      2
Nearly 30% of BEC Attacks Now Originate from Compromised Email Accounts
ACID analysis finds continued volatility in the identity deception tactics used by cybercriminal organizations behind a growing number of
BEC scams. The percentage of all phishing attacks employing identity-deception tactics that use a display name intended to impersonate
a trusted individual or brand has dropped to 53%, but most troubling has been the steady increase in the use of compromised email
accounts. From January through March 2019, 27% of all identity-deception attacks were launched from compromised accounts. That’s an
increase of nearly 30% in just 90 days, making this the second-most prevalent form of identity deception technique. Because phishing
attacks launched from compromised accounts are by far the hardest to detect and disrupt, they are especially effective at defrauding the

                                                                                                                                              AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
rightful owners of the account—as well as targeted businesses. SEE MORE

Employee-Reported Phishing Attacks Reaching SOCs Surge 25%
According to the Q2 ACID Phishing Incident Response Survey of 176 SOC professionals at 325 organizations with 1,000+ employees, the
number of employee reported phishing attacks climbed 25% in the past quarter—increasing the total volume of incidents corporate security
operations centers (SOCs) must remediate to an average of more than 29,000 annually. During this same period, the time needed to
triage, investigate, and remediate each incident rose to an average of 6.5 hours. While the number of SOC analysts increased to 14, the gap
between the number of analysts needed (90) and the actual number of analysts widened. SEE MORE

DMARC Adoption Rises a Tepid 1% While 90% of Fortune 500 Remains Unprotected
By the end of March 2019, ACID identified 6.75 million domains with valid DMARC records out of 328 million total domains examined as
part of the industry’s largest ongoing study of DMARC adoption worldwide. Germany ranks first in raw domains with established DMARC
records, though the United States maintains the highest percentage of domains with DMARC records with a reject policy. Overall, domains
with DMARC records rose 1%, with the rate of growth rising at a much slower pace than the previous quarter. This leaves the vast majority
of the world’s most prominent companies vulnerable to email-based impersonation attacks targeting their customers, partners, and other
businesses—including nearly 90% of the Fortune 500. SEE MORE

                                                                                                                                              Q2 2019
                                                                                                                                                      3
Inside this Report
In this quarterly report, we examine trends in phishing and email fraud perpetrated against businesses and their customers.

For the first time ever, we also begin tracking both Domain-based Message Authentication, Reporting and Conformance (DMARC) and
Advanced Threat Protection adoption among presidential candidates seeking their parties’ nominations heading into next year’s 2020 US
elections. This report includes a look at which campaigns may be most vulnerable to email-based impersonation scams that can damage
candidates’ reputations, operational effectiveness, fundraising efforts, and even national security.

                                                                                                                                              AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Also included are the results from our quarterly survey on the impact of phishing incident response in the enterprise, and the burden and
cost for a security operations center (SOC) team to respond to employee-reported emails. The statistics presented here reflect information
captured from the following sources from January through March 2019:
  •   Analysis of 2020 Presidential campaign email vulnerability based on DNS and MX record information
  •   Data extracted from the 300 million+ daily model updates by the Agari Identity Graph™
  •   DMARC-carrying domains identified within the 328 million+ domains crawled
  •   Insights captured from a phishing incident survey of more than 250 cybersecurity professionals

The Agari Cyber Intelligence Division (ACID) is the only counterintelligence research team dedicated to worldwide BEC and spear phishing
investigation. ACID supports Agari’s mission of protecting communications so that humanity prevails over evil. The ACID team uncovers
identity deception tactics, criminal group dynamics, and relevant trends in advanced email threats. Created by Agari in 2018, ACID helps to
impact the cyber threat ecosystem and mitigate cybercrime activity by working with law enforcement and other trusted partners.

                                                                                                                                              Q2 2019
                                                                                                                                                     4
Table of Contents
Presidential Campaign Security 2020
    --Deception 2020: US Elections Under Email Attack                                                                    9
    --Enemies in the Inbox: Spear Phishing Attacks Should Raise Concerns for Candidates                                 10
    --2016 Presidential Redux—or Worse? DMARC Authentication Necessary for Voter Protection                             12

                                                                                                                              AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Employee Phishing and Business Email Compromise (BEC)
    --Patterns of Deceit: Attacks from Compromised Accounts Continue to Surge                                           16
    --C-Suite Phishing Trends: High-Value Executives See Rise in Identity Deception Attacks Impersonating Individuals   18
    --BEC in the Spotlight: The Use of Free Accounts, Look-alike Domains, and Personalization                           19
Phishing Incident Response Trends
    --Incident Response Trends: SOCs See Reported Phishing Attacks Jump 25%                                             24
    --Employee Empowerment Evolves: Organizations Change Tactics for Employee Reporting                                 25
    --Catching Phish: How Employees Report Suspected Attacks                                                            26
    --SOC Staffing Snapshot: Headcount Needs Nearly Double in 90 Days                                                    31
    --Data Breach Economics: Risk Reductions from Automation                                                            32
    --Totaling It Up: The Cost of Manual Response vs. the Savings from Automation                                       34
Customer Phishing and DMARC Trends
    --DMARC Adoption Snapshot: The Industry’s Largest Ongoing Study of Adoption Rates Worldwide                         36
    --Q2 Scorecard: Vendors and DMARC Service Providers                                                                 38
    --DMARC Adoption By Geography                                                                                       40
    --Prominent Trends Across Top Companies                                                                              41
    --Large Sector Analysis: DMARC Authentication by Vertical                                                           44

                                                                                                                              Q2 2019
    --Industry Enforcement Comparison: The Agari Advantage by Vertical                                                  45
    --Brand Indicators Adoption Up 60% as More Brands Realize Its Value                                                 46
About This Report                                                                                                       47
About the Agari Cyber Intelligence Division (ACID)                                                                      48
                                                                                                                                        5
Key Terms
A Taxonomy of Advanced Email Threats
With rising levels of cybercrime posing a serious threat to individuals, businesses, and governments,
it is vitally important to codify a consistent set of terms to describe the different challenges that
characterize this threat landscape. Not every email scam is a “phishing attack,” for instance.

                                                                                                                                                                                         AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
To address this need, ACID has established a
                                                                                                Imposter                                                     Authentic
classification system for cyber threats—a threat         Sender
taxonomy—that breaks down common email-                                 Spoof    Look-alike Domain       Display Name Deception          Compromised Account             Account Owner

based attacks in terms of how they are carried out
and what the perpetrators aim to achieve. This                                            Fraud                               Unsolicited Email                 Legitimate Email
taxonomy will help readers understand the terms                                     Social Engineering                       Spam        Graymail       Misconfiguration
used in this report and what they mean to email       Classification
                                                                            Scattershot              Targeted
security.
                                                                           URL        Malware                Con

Because email fraud centers around identity
deception—the impersonation of trusted senders—                                                   Internal                                                   External
                                                        Recipient
in order to con recipients, we start with the                                    Employees                         Contractors                    Partners                 Customers
method by which the impostor impersonates
the trusted sender’s email account, making it
                                                       Objective                   Monetary                          IP/Data/Credential Theft                  Denial of Service
appear as if the emails the impostor is sending are
originating from the trusted party.
                                                      For more information about the Agari Threat Taxonomy, see agari.com/taxonomy

                                                                                                                                                                                         Q2 2019
                                                                                                                                                                                                 6
Leading Attack Modalities
Generally speaking, we observe three primary ways in which cybercriminals impersonate an email account:

LOOK-ALIKE DOMAINS AND DOMAIN SPOOFING: With look-alike domains, the cybercriminal registers a domain that is very similar
to the legitimate domain he or she is seeking to impersonate. Look-alike domains are distinguished from domain spoofing, in which the
attacker uses the actual email address of the impersonated identity in the “From” header—for example, “Company Customer Service.” Email
authentication standards such as DMARC can be used by a domain owner to prevent spoofing of the domain, but are still not adopted

                                                                                                                                              AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
widely by all businesses.

DISPLAY NAME DECEPTION: This happens when the cybercriminal inserts the name of the impersonated individual or brand into the
“From” field within Gmail, Yahoo, or another free cloud-based email platform. These are also known as “friendly from” attacks.

                                   Imposter                                        Authentic
    Sender
               Spoof   Look-alike Domain    Display Name Deception   Compromised Account       Account Owner

                                           Brand / Individual

COMPROMISED ACCOUNT ATTACKS: The cybercriminal sends targeted requests from an account that’s already been compromised—
assuming the identity and the actual email account of the impersonated individual or brand, which is the most dangerous threat of all.

Different types or classes of attacks will entail different elements of this taxonomy.

A business email compromise (BEC) attack, for instance, can involve an impostor who aims to impersonate a trusted individual or brand
using a look-alike domain, display name deception, or in the worst cases, a compromised legitimate account, leveraging sophisticated social
engineering tactics to send highly personalized attacks. Impersonated individuals may be executives within the target’s own company, or an

                                                                                                                                              Q2 2019
outside vendor or partner company. A BEC attack is targeted and uses a con with no URL or attachment.

By comparison, a phishing attack may use any identity deception technique and send more broad-based messages meant to fool someone
into clicking on a malicious link that captures their username and password. When attacking businesses, display name deception is typically
the tactic of choice for cybercriminals seeking to impersonate the email account of a trusted individual or brand.
                                                                                                                                                       7
Presidential Campaign Security 2020
Protecting the United States Election From
Nation-State Attacks

                                             AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
                                             Q2 2019
                                                     8
Deception 2020
US Elections Under Email Attack
Initial findings show that major US presidential candidates are vulnerable
both to phishing attacks against staff and to email scams impersonating
their campaigns. This must be remedied as we move closer to the election,

                                                                                                                                                                                    AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
especially as cybercriminals and nation-state actors seek to derail
candidates, defraud voters, and undermine democracy itself.

In the aftermath of the 2016 US presidential election and the hacking of Clinton campaign
chairman John Podesta’s email account, email security has become a critical issue as the 2020
election cycle revs up.

It was only three years ago that Podesta was fooled by what appeared to be an “account alert”
from his email provider, Google. The malicious link, and the resulting leak of damaging campaign
emails on WikiLeaks helped derail Clinton’s bid for the presidency.

Fast-forward to 2019, and little has changed. Campaigns are still struggling with email security,
primarily because very few candidates have dedicated staff or resources to implement critical
email security defenses. The Department of Homeland Security offers training, but it tends to be
designed for large federal agencies rather than the frenetic, on-the-fly campaign operations that
are just starting to rev up for the primaries.

In fact, with the 2020 election cycle now underway, over 90% of the current presidential contenders

                                                                                                                                                                                    Q2 2019
rely on the easily-bypassed security controls that are built into their email platforms—almost
exclusively Gmail and Microsoft Office 365. And while these security features provide basic protection,
they are not enough to stop the advanced email attacks that are likely to target prominent
candidates in the run-up to the election. Perhaps even more troubling, only one presidential
candidate polling over 1% has implemented the DMARC policy needed to keep fraudulent email
purporting to come from the campaign or the candidate themselves out of voter inboxes.                    The information here was collected on April 29, 2019. For an up-to-date
                                                                                                          status on top candidates, see agari.com/election2020                              9
Enemies in the Inbox
Spear Phishing Attacks Should Raise Concerns for Candidates
While the security controls of most webmail platform providers have grown adept at ferreting out
malicious links and malware, they are powerless on their own against advanced, identity-based phishing
attacks, and cybercriminals are taking advantage. Instead of relying solely on the kind of spear phishing

                                                                                                                                                 AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
approach used on Podesta, these operatives are now launching highly personalized, socially-engineered
email messages designed to manipulate recipients into revealing sensitive information or login
credentials before thinking to confirm the message’s legitimacy.

Advanced Email Security Is a Necessity for Serious Candidates
To be sure, some attacks may still include “Past Due” or “Password Change Required”-style alerts designed to harvest email login credentials.
But others may involve an “urgent request” from a trusted advisor, outside firm, or a senior campaign official asking the recipient to pay a
vendor or forward confidential polling data or campaign information. Fortunately,Email
                                                                                     much  of this can be stopped by advanced email security
                                                                                         Gateways
controls that overlay on top of Microsoft Office or Gmail to stop advanced attacks like business email compromise, spear phishing, and others.

Despite the ease of implementing
advanced email protection, the Agari                                            3% Third-Party                               17% Third-Party
Cyber Intelligence Division finds            6%  Microsoft                      Advanced Email                               Advanced Email
                                             O365 or EOL                        Security Provider                            Security Provider
that only 3% of the current crop of
US presidential candidates with an
                                                               All Candidates              9%  Microsoft
email-receiving domain or campaign                                                         O365 or EOL        >1% Polling
                                                               with Website
website have implemented a solution
to stop advanced threats.

                                                                                                                                                 Q2 2019
                                                                                91% Unknown/
                                                                                On-Premises Gateway                         74%   Google

                                                                                                                                                 10
A vast majority of candidates are relying on the basic controls built
into their cloud-based email platform. All this means is that these
candidates are open to attack in the form of phishing and account
takeovers—threats that could derail an entire campaign, smear
a presidential candidate, and turn the wave of support against a
leading presidential contender.

                                                                        AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Leading Candidates Are at Risk for Attack
Of the candidates polling over 1%, according to data from Real Clear
Politics, the situation is not much better. One two candidates—
Massachusetts Senator Elizabeth Warren and Former Massachusetts
Governor Bill Weld—have put an advanced security solution in place
to protect their staff from the email threats that could cause major
headaches should they be successful.

Let’s hope more join them. Even with heavy investments on security
and employee phishing training, 96% of corporate data breaches
begin with an email, with more than 4,000 records are stolen every
single minute. With these numbers, imagine what these criminals
could do to a presidential bid.

The rapidly-evolving nature of campaign operations and their ad hoc
ecosystem of advisors, pollsters, policy analysts, and other members
of a candidate’s braintrust make them easy targets for world-class
hackers—both foreign and domestic. As the race heats up and the
press focuses more on our top contenders, so will nation-state actors
who want to target the 2020 election and the United States democracy.

                                                                        Q2 2019
And unfortunately, these are not the only types of email threats that
candidates should fear.

                                                                            11
2016 Presidential Redux—or Worse?
DMARC Authentication Necessary for Voter Protection
The fact is, there is another email-based threat that could pose a far graver danger to candidates and to
our electoral system itself. For US congressional and presidential candidates with domains unprotected
by the DMARC email authentication protocol, they risk finding their campaigns impersonated in

                                                                                                                                                  AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
phishing attacks targeting not their staff, but rather their most important constituents—including voters,
donors, the press, and more.

In 2017, the US Department of Homeland Security issued BOD 18-01, a directive requiring all executive branch agencies to adopt DMARC
with its top enforcement policy in order to address this same issue. DMARC helps ensure only authorized parties can send emails on
an agency’s behalf, preventing agencies or individuals from that agency from being impersonated in attacks targeting other agencies,
government officials, citizens, media outlets, foreign allies, and more.

To its credit, the US executive branch is now one of the leading industry verticals in the adoption of DMARC. But so far at least, no such
directive has been set for the federal government’s legislative or judicial branches, let alone for the chaotic operations of congressional and
presidential election campaigns.

Mission: Impersonate
Given the stunning success of phishing and disinformation operations during the 2016 election cycle, 2020 is surely in the crosshairs of
highly-networked cybercriminal organizations, some of them foreign adversaries, with access to all the same donor and voter data so
critical to campaign success.

What happens if candidates for the highest office in the land are impersonated in phishing attacks targeting voters, donors, or the domestic

                                                                                                                                                  Q2 2019
or foreign press? What kind of fraudulent statements or mischaracterized policy positions could be attributed to these candidates and
emailed to rival campaigns, the media, and key voters—including independents in battleground states?

                                                                                                                                                   12
And what happens when the negative publicity from such attacks leads these and other constituents to avoid opening a campaign’s
legitimate email messages, including those focused on fundraising? Because email marketing has an average ROI of $38 for every $1 spent,
impersonation attacks that hobble the email channel can quickly crush a candidate’s reputation, their fundraising ability, and their electoral
viability. For these reasons and more, DMARC implementation should be the absolute baseline for email security for every campaign.

DMARC Adoption in the Danger Zone for Most Candidates
When implemented correctly, DMARC authentication at its highest level is the single most important element in stopping attacks that pose

                                                                                                                                                 AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
as trusted brands or individuals—including political candidates and their campaigns.

                            1%    Protected                                  8%   Protected

                 All Candidates
                                                               >1% Polling
                 with Website

99%    Not Protected                          92%   Not Protected

In late March, CNN reported that the Democratic National Committee held an online seminar to show campaigns how to implement
DMARC. But as of April 29, our analysis of domain data indicates only one of the campaigns with polling averages above 1% have DMARC
records established for their domains with a policy that would block phishing emails. This means 99% of all US presidential candidates and
92% of the top candidates are vulnerable to email-based impersonation attacks targeting their constituents and others.

                                                                                                                                                 Q2 2019
                                                                                                                                                  13
Leading Candidates Remain Vulnerable to Attacks
Out of all candidates with polling averages above 1%, only five have DMARC records
assigned to their domain. These include:
  •   Massachusetts Senator Elizabeth Warren (D)
  •   New Jersey Senator Cory Booker (D)
  •   Former Secretary of Housing and Urban Development Julian Castro (D)

                                                                                     AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
  •   Minnesota Senator Amy Klobuchar (D)
  •   Current President Donald J. Trump (R)
But only Warren has a p=reject policy to stop unauthenticated emails from being
delivered. Because a DMARC record does not prevent illegitimate mail from entering
the inbox until the policy is set to p=reject, every other major candidate i still
vulnerable to email-based impersonation—including current President Trump.

As such, voters should be wary of any email purporting to come from a candidate
other than Elizabeth Warren. No other candidates have implemented the protocols
necessary to keep fake email out of voter inboxes—a fact that should be remediated
sooner rather than later to ensure voter trust throughout the election process.

                                                                                     Q2 2019
                                                                                     14
Employee Phishing and Business Email
Compromise (BEC)

                                                                                 AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
                                               An unfortunate increase of 35%
                                               means that 27% of advanced
                                               email attacks spawn from
                                               compromised accounts of
                                               trusted individuals and brands.

                                               When targeting execs and
                                               high-value employees,
                                               attackers moved decisively
                                               to impersonating specific

                                KEY FINDINGS
                                               individuals in 37% of all email
                                               attacks, versus previous
                                               trends of impersonating
                                               common brands.

                                               As a sign of growing
                                               sophistication and targeting
                                               inherent to BEC attacks, 20%

                                                                                 Q2 2019
                                               of deceptive emails observed
                                               were personalized to include
                                               the name of the recipient in
                                               order to make them seem
                                               more legitimate.                   15
Patterns of Deceit
Attacks from Compromised Accounts Continue to Surge
More than a quarter of advanced email attacks are now launched from the compromised accounts of
trusted individuals and brands—up 26% in just ninety days.

                                                                                                                                                       AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
‘From’ Line Fraudsters: Identity Deception Tactics are Evolving Fast
Today, 53% of all phishing attacks employing identity-deception tactics use a display name intended to impersonate a trusted individual or
brand in order to defraud an outside supplier, a customer, or other businesses—down from 63% in the previous quarter.

In most cases, attackers favor impersonating trusted brands at 34% over individuals at 19% of all attacks. But while both of these tactics
attempt to deceive a recipient by impersonating a known entity, the purpose is typically very different for each.

Generally speaking, malicious emails that impersonate trusted brands are associated with credentials-harvesting attacks, while phishing emails
spoofing specific individuals are typically linked to socially-engineered, recipient response-oriented attacks such as BEC or executive spoof scams.

        20%
        Look-alike Domain
        From: LinkedIn 
        To: Jan Bird                                            34%
        Subject: Diana has endorsed you!
                                                                                 Display Name Deception (Brand)
                                                   Advanced                      From: Chase Support 
                                                                                 To: Tom Frost 
                                                    Attacks
                                                                                 Subject: Account Disabled
                                                  by Imposter Type

                                                                                                                                                       Q2 2019
 27%
 Compromised Account
 From: Raymond Lim                             19%
 To: Cong Ho                                    Display Name Deception (Individual)
 Subject: PO 382313
                                                                 From: Patrick Peterson                         16
                                                                 To: Cong Ho 
                                                                 Subject: Follow up on Invoice Payment
The thing that is most notable this quarter is the continued increase in the use of compromised email accounts. From January through
March 2019, 27% of all identity-deception attacks were launched from the compromised email account of a trusted individual or brand.
That’s up from 20% in just three months, making this the second-most frequent type of identity-deception technique.

Legitimate email accounts that have been taken over by scammers can be a crushingly effective way to distribute phishing emails because
they are, in a sense, trusted—allowing them to bypass mail filters more easily. The impact of this attack type cannot be overstated.

                                                                                                                                                AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Attacks launched from compromised email accounts are by far the hardest to detect and disrupt, making them a serious vulnerability for
the account’s legitimate owner and the companies involved. Indeed, a successful account takeover does not just give fraudsters the ability
to impersonate the account’s owner. It also gives them access to the individual’s contacts, ongoing email conversations, and historical email
archives—making it possible to craft new scams made all the more galling by their extraordinary personalization and crushing effectiveness.

Meanwhile, the remaining 20% of identity-deception emails use look-alike domains to send malicious content. While some of these domains
can be simply spoofed and sent using basic mailing tools, many are actual domains registered by phishing threat actors.

                                                                                                                                                Q2 2019
                                                                                                                                                 17
C-Suite Phishing Trends
High-Value Executives See Rise in Identity Deception Attacks
Impersonating Individuals
During the first quarter of 2019, display name deception used to impersonate specific individuals was

                                                                                                                                                                                 AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
used in 37% of all email attacks targeting senior executives, compared to just 19% in overall malicious
email campaigns.

The distribution of tactics used in phishing attacks diverges significantly from those used when targeting other employees. During the
first quarter, display name deception used to impersonate specific individuals, the least common tactic among malicious emails overall,
was used in the majority of phishing emails targeting the high-level executives. This dichotomy is driven by BEC scams that target CFOs
and other financial executives with malicious emails appearing to be sent from an executive like the CEO, making this one of the most
pernicious cyberthreats facing the enterprise.

                                                                                                                           Compromised account-based phishing scams,
       15%                                                                                                                 which are the second-most common email attack
       Look-alike Domain                                                                                                   method overall, are rarely used when targeting
       From: LinkedIn 
       To: Jan Bird                                               36%                                     senior executives, representing just 12% of attacks
       Subject: Diana has endorsed you!
                                                                                   Display Name Deception (Brand)          in the first quarter of 2019.
                                                      Identity                     From: Chase Support 
                                                     Deception                     To: Tom Frost 
                                                      Attacks                      Subject: Account Disabled
                                                   by Attack Category

12%
Compromised Account
From: Raymond Lim 

                                                                                                                                                                                 Q2 2019
To: Cong Ho 
Subject: PO 382313
                                                       37%
                                                       Display Name Deception (Individual)
                                                       From: Patrick Peterson 
                                                       To: Cong Ho 
                                                       Subject: Follow up on Invoice Payment

                                                                                                                                                                                  18
 For more information on how cybercriminals target the C-level, see agari.com/londonblue
BEC in the Spotlight
The Use of Free Accounts, Look-alike Domains, and Personalization
This past quarter, the Agari Cyber Intelligence Division took an in-depth look at the tactics used by
threat actors in BEC campaigns, one of the costliest forms of phishing attacks businesses face today.

                                                                                                                         AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
67% of Attacks are Launched from Free                                 Top Ten Email Providers Used to Send BEC Emails
Webmail Accounts
What makes today’s BEC campaigns so dangerous is that they            Roadrunner   15.3%   1    6   Cox           2.0%

can exact eye-popping returns with very little effort or overhead.    AOL          12.8%   2    7   Mailbox.org   1.3%
Because emails used in these attacks do not contain malicious links
or payloads, they easily bypass most common security controls in      Gmail        10.4%   3    8   Earthlink     1.2%

use today.
                                                                      Lycos         4.1%   4    9   Inbox.Iv      1.2%

And in the vast majority of cases, BEC attackers use free and         Naver         2.1%   5   10   TWC           1.0%
temporary email accounts to launch their campaigns. In fact, our
data shows that two-thirds (67%) of BEC emails are sent from an
easily-acquired webmail account.

In the first quarter of this year, the most commonly used email
provider in these attacks was Roadrunner (rr.com), accounting for
15% of all BEC campaigns. AOL and Gmail ranked as the second and
third most commonly used webmail providers for creating accounts
used to send BEC phishing emails.

                                                                                                                         Q2 2019
                                                                                                                         19
The Advantages of Look-alike Domains in BEC Scams
Twenty-eight percent of BEC campaigns in the first quarter were sent from email accounts hosted on a
domain registered by the attacker. While there is usually a cost associated with registering a domain, the
ability to create a more authentic-looking email address for use in attacks is worth the price for some.

Meanwhile, compromised email accounts belonging to other individuals or brands accounted for the
remaining 5% of BEC attacks.

                                                                                                             AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Regardless of the point of origin, the display name used in these attacks is almost always changed to
impersonate a senior executive at target organizations.

      5%
      Compromised

                            Most Common
                            Point-of-Origin                   67%
                              for BEC Scams                   Webmail

28%
Registered

                                                                                                             Q2 2019
                                                                                                             20
Top 10 Subject Lines for Business Email Compromise Scams
Curious what a business email compromise scam actually looks like? In most cases, the initial email in a
BEC attack is very brief and designed to elicit a response from a targeted recipient.

Similarly, the subject lines of BEC emails are frequently very generic, so as not to arouse suspicion. But
they nearly always contain specific keywords meant to generate urgency.

                                                                                                             AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
In fact, 1 in 4 BEC emails observed over the past three months contained one of three words in the
subject line: Quick, Request, or Urgent.

              Top Ten Most Common Subject Lines
                    in BEC Emails (Q1 2019)

Request                 7.6%   1       6    Payroll                 2.1%

[FIRST NAME]            7.2%   2       7    quick task              2.1%

Task                    3.7%   3       8    [FIRST/LAST NAME]       1.9%

Hello [FIRST NAME]      3.5%   4       9    Direct Deposit          1.7%

Hi [FIRST NAME]         2.5%   5       10   Available?              1.5%

                                                                                                             Q2 2019
                                                                                                              21
A Growing Number of BEC Emails are Personalized
Today, 20% of BEC emails are personalized to include the name of the recipient in order to make them seem more
legitimate. Rather than receiving a completely generic message, referencing the target’s name serves to lower a
recipient’s defenses and lessen the likelihood they’ll recognize the scam.

Personalization also demonstrates the level of reconnaissance some cybercriminal organizations conduct prior to
launching their malicious campaigns.

                                                                                                                  AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Instead of simply scraping email addresses from company websites, some BEC groups curate target lists of
specific financial executives for use in crafting these personalized messages.

Our previous research has shown that many BEC groups use legitimate commercial services to construct tailored
queries and collect comprehensive contact information for financial executives around the world.

                                                                20%
                                                                Personalized
                                                                Subject: Hello
                                   Personalization vs.          Hello
                                  Non-Personalization           I am planning a surprise for some of
                                     in BEC Attacks             the staffs with gift cards and your
                                                                confidentiality would be appreciated
                                                                in order not to ruin the surprise.
80%                                                             I need you to get some purchase
                                                                done, email me once you get this.
Non-Personalized
                                                                Vice President of Marketing at Agari
Subject: Hello
                                                                Sent from a Mobile Device
Hi

                                                                                                                  Q2 2019
Are you in your office? Send me
a quick reply if you are free.
Thanks

                                                                                                                  22
Phishing Incident Response Trends

                                                                                    AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
                                                   Employees report an average
                                                   of 29,028 phishing incidents
                                                   to the security operations
                                                   center each year per
                                                   organization—a 25% increase
                                                   in just 90 days.

                                    KEY FINDINGS
                                                   The average time it takes
                                                   to triage, investigate, and
                                                   remediate reported phishing
                                                   incidents jumped to 6.5 hours,
                                                   a 35% increase in one quarter.

                                                   Costs for the security

                                                                                    Q2 2019
                                                   operations center to triage,
                                                   investigate, and remediate
                                                   employee reported phishing
                                                   nearly doubled—exceeding
                                                   $8.1 million.                    23
Incident Response Trends
SOCs See Reported Phishing Attacks Jump 25%
In today’s threat environment, there is no possible way to completely remove the risk that an employee
will fall for a phishing email designed to defraud the company or steal sensitive information as part of a
data breach. During the first quarter of 2019, the time required for security operations centers (SOCs)

                                                                                                                                                         AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
to respond to employee-reported phishing attacks spiked 32% in just 90 days.

For US-based companies, this matters—a lot. Today, the average cost of a breach is approaching $8 million, and the probability of falling
victim to a breach is now 14% per year, according to Ponemon Institute. And it’s getting worse, in part because of the very mechanism
businesses are putting in place to mitigate the issue.

The Unexpected Consequences of Employee-Reported Phishing Attacks
In addition to security awareness training and phishing simulations, the vast majority of businesses have provided employees with the
ability to report suspected phishing emails. It is critical to understand how to leverage this threat feed to discover and contain breaches
before data is exfiltrated.

All too often, employee-reported phishing emails end up flooding SOCs with more incidents to triage, investigate, and remediate than
they can handle. As a result, it has become critically important for businesses to find ways to streamline and automate these processes.
Otherwise, the time it takes to discover and resolve breaches will only grow longer—while valuable data, intellectual IP, and other important
business information is exfiltrated by cybercriminals.

Inside the ACID Phishing Incident Response Survey
Every quarter, ACID surveys SOC professionals at 280 organizations ranging in size from 1,000 employees to 209,000 employees in order to get a

                                                                                                                                                         Q2 2019
read on incident response issues. This quarter’s survey participants include 176 respondents based in the United States, and 84 in the United Kingdom.

The survey asks a series of questions regarding employee-reported phishing—including reporting mechanism, volume, false positive rate,
existing tools for phishing incident response, and time required to investigate phishing. This section of the Q2 2019 Email Fraud and Identity
Trends report highlights analysis of the responses to these questions.                                                                                   24
Employee Empowerment Evolves
Organizations Change Tactics for Employee Reporting
Ninety-five percent of this quarter’s survey respondents report employees in their organizations have the ability to report phishing attacks,
often via a convenient button and/or abuse inbox for forwarding suspicious messages to the security team.

                                                                                                                                                 AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
While this is down 3% quarter-over-quarter, a growing number of organizations are adopting phishing simulations to test employees’ ability
to detect a phishing incident after participating in security awareness training. A full 92% of this quarter’s survey respondents report their
organizations use such simulations, up 4% from the previous quarter. In most cases, these simulations are implemented via an outside
vendor to provide an objective assessment of security vulnerabilities.

                        Training Employees to Report Phishing

 5%                                                     8%
 No Ability to Report                                   No

                         Ability to                                  Phishing
                          Report                                    Simulation
                         Phishing                                   Adoption

                                                                                                                                                 Q2 2019
                                95%                                              92%
                                Ability to Report Phishing                       Yes

                                                                                                                                                 25
Catching Phish
How Employees Report Suspected Attacks
Most companies offer multiple reporting methods, including filing a help desk trouble ticket, using the native email client phishing button, or
implementing a third-party client such as the KnowBe4 phishing button. But today, the most common mechanism available to employees
to report phishing is an abuse@company.com inbox.

                                                                                                                                                  AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Whether the phishing incident is reported through an inbox or a phishing button, the phishing email itself is forwarded to some
combination of a security operations center or help desk support center, for investigation and remediation. In some cases, the mail platform
(Microsoft Office 365 or Gmail) or phishing simulation vendor also receives a copy of the reported phishing messages.

 Employee Options to Report Phishing (Global)
 70
         63%
                      58%
 60

 50
                                   45%

 40                                              37%

 30

 20

                                                                                                                                                  Q2 2019
 10
                                                               5%

                                                                          0%
 0
      Forward to     Contact    Email Client Email Client   No Ability   Other
      Abuse Email   Help Desk    (Native)    (Third-Party   to Report
       Address       Directly                  Vendor)

                                                                                                                                                  26
Employee-Reported Incidents: Volume and Accuracy
With so much empowerment, training, and testing designed to help employees recognize and report phishing incidents, just how many
suspected attacks are reported? What about accuracy?

Based on the results to this quarter’s survey, respondents report roughly 29,028 phishing incidents per organization on an annual basis,
with a slightly lower number of phishing incidents in UK-based companies.

                                                                                                                                            AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
                                   Volume Per Organization of Phishing Incidents

            Average Number of Reported Phishing Incidents
                                                                              Distribution of Annual Reported Phishing Incidents (Global)
                      Per Organization Annually
30000                                                               30%
                                                                                                         30%

25000                                                               25%                     26%

20000                                                               20%
                                                                              20%
                                                                                                                       19%

 15000                                                               15%

10000                                                                10%

 5000                                                                5%                                                             6%

    0                                                                0%
             US                    UK               Global                    60000

                              Q1        Q2

                                                                                                                                            Q2 2019
In all, 56% of respondents reported a number of phishing incidents ranging from 12,000 to 36,000 per year.

                                                                                                                                            27
Employee-Reported Incidents: False Positive Rate Rises 10%
The emails employee report are not always true phishing incidents. Security training often encourages users to report any suspicious email.
As a result, spam, unwanted marketing emails, as well as legitimate email messages are often reported as phishing—even when they are
not. In the first quarter of 2019, the false positive rate for employee-reported phishing incidents climbed 10% on a global basis. In the United
States, the rate rose from 49% to 56%, while the United Kingdom saw a 3% decline over ninety days.

                                                                                                                                                   AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Employee-Reported Phishing False Positive Rate
             Employee Reported Phishing False Positive Rate

60%
                                    30%

             55%                   56%
50%                    26%                               52%

40%

30%

20%

10%

 0%
           Global                  US                     UK

                                                                                                                                                   Q2 2019
                                                                                                                                                   28
Time Required for Triage, Investigation, Forensics, and Remediation

                              Reports                                 Alerts                                      Incidents

                                                                                                                                                              AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
   Phish Reporting                          SOC Triage                         Forensic Analysis
                                                                               Forensic                                          Incident
                                                                                                                                  Incident Remediation
                                                                                                                                           Remediation

   Employees
      Employeesreport
                  report                SOC
                                          SOChandles
                                                 handlesreports,
                                                           reports,            SOC Analyst
                                                                                    SOC Analyst                                      SOCSOC
                                                                                                                                          works  withwith
                                                                                                                                               works
   suspect
   suspect message
            message using
                      using             filtering  out
                                           filtering   obvious
                                                     out  obvious              determines  levellevel
                                                                                   determines                                        Messaging
                                                                                                                                      Messagingtotoaddress
                                                                                                                                                    address
   phish phish
         buttonbutton                   false false
                                                positives
                                                     positives                 of impact
                                                                                      of impact                                      incidents
                                                                                                                                            incidents

   PROBLEM:                             PROBLEM:                               PROBLEM:                                              PROBLEM:
    Employee reports are                 The tools & workflow                Understanding level of                Remediation often
Eachnoisy  and phishing
       quarter’s survey participants are for managing
                                          asked:        these
                                                  For employee               impact
                                                                phishing reports, how involves usingon average doesinvolves
                                                                                        much time                   it take amultiple
                                                                                                                              SOC analyst to
    training makes  the                  reports  are crude and              lots of cutting &
triage, investigate, and remediate?” both in terms of true phishing incidents and false positive reports.          groups  and there isn’t
    problem worse for                    inefficient—often just              pasting across multiple               effective data sharing
    the SOC                              an Outlook mailbox                  forensic tools                        between them

                                                                        40     ©2019 Agari Data, Inc. All rights reserved. Confidential and Proprietary.

                                                                                                                                                              Q2 2019
                                                                                                                                                              29
Response Times Climbing Fast
On a global basis, the overall average across all phishing incidents is now 6.5 hours to triage, investigate, and remediate. That number is up
32% from 4.9 hours in the course of ninety days. In the United States, the rate is up 1.86 hours, while in the United Kingdom, the rate is up
by nearly a full hour.

On average, SOC analysts now spend 5.58 hours triaging a false positive, compared to 3.96 hours in the previous quarter. And they spend
an average 6.64 hours triaging, investigating, and remediating a valid phish—an increase of .76 hours during the same time period.

                                                                                                                                                 AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Average Time per Phishing Incident to Triage. Investigate, and Remediate
            Average Time Per Phishing Incident to Triage, Investigate, and Remediate

        8

        7
                                         7.20
                  6.64
        6
                                                                                       True Phish
                                                     5.78
        5                      5.58                            5.45
                                                                           5.16
                                                                                       False Positive
Hours

        4

        3

        2

        1

        0
                      Global                    US                    UK

The triage process generally involves a quick investigation of the sender domain and address, included links, and attachments to determine

                                                                                                                                                 Q2 2019
if the message is potentially malicious. This process is often manual, requires multiple third-party tools, and involves the judgement of the
analyst—something that is not always 100% reliable.

                                                                                                                                                 30
SOC Staffing Snapshot
Headcount Needs Nearly Double in 90 Days
In the face of this continuous barrage of phishing incidents, the                             Average Avg.
                                                                                                      Number
                                                                                                           Number of  SOC
                                                                                                                  of SOC    Analysts
                                                                                                                         Analysts       Employed
                                                                                                                                  Employed
average number of SOC analysts per organization hit 14.6 in the first
quarter of 2019—up from 12.5 quarter-on-quarter.                                         20
                                                                                                                       30%

                                                                                                                                                   AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
                                                                                                                                        55%
More than 90% of organizations report having at least one
dedicated SOC analyst. Not surprisingly, the analysis showed a                           15                           15.9
                                                                                                    14.6
strong correlation between company size, the number of phishing

                                                                         # of Analysts
incidents, and the number of SOC employees.                                                                                             12.0
                                                                                         10

For example, 41% of organizations with more than 10,000 employees
have 20 or more SOC analysts. The same is true of organizations
with 60,000 or more phishing incidents per year.                                          5

The Q2 Staffing Gap
                                                                                         0
Based on the average number of phishing incidents and the average                                  Global             US                 UK
time to remediation (6.5 hours), the average SOC needs 90 analysts
to handle the number of phishing incidents per company. Given that
the average number of SOC analysts in our survey is 14.6, there is
a widening staffing gap of at least 76 full-time equivalents (FTEs).
This gap currently results in organizations failing to detect phishing
incidents, which opens each organization to the possibility of
breaches or fraud.

                                                                                                                                                   Q2 2019
                                                                                                                                                    31
Data Breach Economics
Risk Reductions from Automation
Today, the entry point for 96% of all data breaches is well-targeted email, according to the 2018 Verizon Data Breach Investigations Report
(DBIR). The average cost of a data breach in the United States is now $7.9 million, and organizations face an average 14% probability of
suffering a breach within the next year, according to Ponemon Institute. If you multiply the average breach cost of $7.9 million by the

                                                                                                                                              AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
probability of 14%, the annual breach risk is $1.1 million.

  60%

  40%
                                                                              Discovery
  20%                       Exfiltration
    0%
      Seconds                Minutes       Hours   Days           Weeks          Months          Years

Source: 2018 Verizon DBIR

Meanwhile, the Verizon DBIR finds that the average data breach results in exfiltration of data within minutes or hours—while the average
time-to-discovery takes months. This is likely a symptom of understaffed and inefficient SOC processes for handling phishing incidents.
Ideally, SOC analysts would be able to triage, investigate, and remediate reported phishing incidents within minutes, enabling the business
to remediate the compromise and contain the breach.

                                                                                                                                              Q2 2019
                                                                                                                                              32
Q2 Automation Index
As part of our quarterly phishing incident response survey, we asked respondents how much reducing the response time required for
phishing incident response would reduce their breach risk. Overall, this quarter’s respondents felt their business could reduce breach risk by
an average 51% by automating the process of phishing incident response.

In the United States, that figure rose 2% from the previous quarter, to an average 53% reduction in breach risk, while in the United Kingdom,
estimates dropped 3% during the same period, to an average 45% reduction.

                                                                                                                                                 AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
On a global basis, a 51% reduction in breach risk would result in a $561,025 decrease in annual breach risk for the average business.

            Risk Reduction Due to Automated
                Phishing
       Risk Reduction Due to Incident   Response
                             Automated Phishing Incident Response

60%
                                    30%

50%                    26%         53%
             51%

                                                         45%
40%

30%

20%

 10%

 0%

                                                                                                                                                 Q2 2019
            Global                 US                     UK

                                                                                                                                                 33
Totaling It Up
The Cost of Manual Response vs. the Savings from Automation
Based on the data captured in this quarter’s phishing incident response survey, it’s possible to establish the variables needed to estimate
the cost of manually handling phishing incidents, average breach risk, and the potential cost savings of automating the process.

                                                                                                                                                           AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
                                                                 6.5 Hours per Phishing Incident x 29,000 Incidents = 188,500 Hours of SOC Analyst Time
                                    SOC ANALYST
                                       COSTS
                                                                 188,500 Hours ÷ 2080 FTE Hours per Year = 90 FTEs
                                                                 90 FTEs x $90,000 per FTE = $8.1M

                                    SOC ANALYST
                                      SAVINGS
                                                                 $8.1M – 90% SOC Time Savings = $7.29M Savings

                                     BREACH RISK                 $7.9M Average Breach Loss x 14% Probability of Breach = $1.1 M Breach Risk
                                      REDUCTION                  $1.1 M Breach Risk – 51% Risk Reduction = $561,000 Breach Risk Reduction

                                         TOTAL
                                        SAVINGS
                                                                 $7.29M SOC Analyst Time Savings + $561,000 Breach Risk Reduction = $7.85M Total Savings

 To calculate a custom ROI for your organization, visit agari.com/roi

Using averages for all variables, the detailed calculations above show a total annual cost to the SOC of $8.1 million and an average annual
breach risk of $1.1 million—for a total cost $9.2 million per company. By implementing automated phishing incident response processes that

                                                                                                                                                           Q2 2019
reduce the time to triage, investigate, and remediate phishing incidents by 90%, and the time to discover and remediate data breaches by
up to 51%, organizations could save $7.29 million in SOC costs and $561,000 in breach risk—for a total savings of $7.85 million.

                                                                                                                                                           34
Customer Phishing and DMARC Trends

                                                                               AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
                                              By the end of March, ACID
                                              identified 6.75 million
                                              domains with valid DMARC
                                              records, up roughly 1%

                               KEY FINDINGS
                                              quarter-over-quarter.

                                              Germany is the #1 region
                                              responsible for raw domains
                                              with DMARC records, though
                                              the United States took the
                                              top prize for the percentage
                                              of domains at a reject policy.

                                                                               Q2 2019
                                              Only 25% of domains are
                                              configured to send email, with
                                              DMARC settings on the vast
                                              majority set to monitor-only.    35
DMARC Adoption Snapshot
The Industry’s Largest Ongoing Study of Adoption Rates Worldwide
Domain-based Message Authentication, Reporting and Conformance (DMARC) is an open standard email
authentication protocol that helps businesses protect their brands and domains from being used to send
fraudulent phishing emails. In a snapshot of more than 328 million Internet domains—the largest of any

                                                                                                                                                                         AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
industry survey—we break down the state of DMARC implementation worldwide from January 1 through
March 31, 2019.

Take Control of Your Domains                                                                                        Domains with DMARC Policies
DMARC gives brands control over who is allowed to send emails on
their behalf. It enables email receiver systems to recognize when an                       8,000,000

email isn’t coming from a specific brand’s approved domains, and
gives the brand the ability to tell the email receiver systems what to                     7,000,000

do with those unauthenticated email messages.
                                                                                           6,000,000

Failing to implement DMARC at p=reject results in an easily identifiable
                                                                                           5,000,000
vulnerability. Cybercriminals often spoof domains in order to send
large volumes of phishing attacks targeting the domain owner’s
                                                                                           4,000,000
customers and partners. The ripple effect can be significant.
The domain may suffer reputational damage, resulting in being                              3,000,000
blacklisted by some receiver infrastructures, or experience reduced
deliverability rates for legitimate email, hurting email-based revenue                     2,000,000
streams. The effects may first show up in complaints that outgoing

                                                                                                                                                                         Q2 2019
emails aren’t reaching recipients, often bouncing or being filtered by                     1,000,000

spam filters.
                                                                                                  0
                                                                                                       Aug 2017           Sept 2018       Dec 2018            Mar 2019

 For more information on DMARC and the benefits of adoption, visit agari.com/dmarc-guide               Monitor (p=none)      Quarantine    Block (p=reject)
                                                                                                                                                                         36
Brands looking to deploy DMARC are advised to start with DMARC p=none and work up to p=reject through a well-defined DMARC
implementation plan. When enforcement policies are set properly, DMARC has been shown to drive down phishing rates impersonating
brands to near zero.

The Picture Grows Sharper
By crawling the entire public Internet domain space representing over 328 million domains, ACID was able to generate its latest snapshot
of DMARC implementation rates worldwide from January through March 2019. Overall, there was continued growth in the DMARC adoption

                                                                                                                                           AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
rate, but at a much slower pace than the previous quarter.

                                                                                                                                           Q2 2019
                                                                                                                                           37
Q2 Scorecard
Vendors and DMARC Service Providers
Each quarter, we assess how vendors and DMARC service providers are helping organizations use
DMARC to protect their domains from email impersonation scams. The size of our dataset offers an
unprecedented view into the number of domains for which vendors have established DMARC records,

                                                                                                                                                 AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
as well as how many of those records have been set to the highest enforcement level of p=reject. This
combination of data points offers a snapshot of market share and success rates for each of these vendors.

How the Scorecard Works
As a shorthand to determining a market share figure, we tabulated the number of times specific, well-known DMARC implementation
vendors were specified as a recipient of reporting feedback via DMARC. The “rua” field that accepts an email address to receive aggregate
DMARC data reports is a good proxy for this calculation. With this email address, the DMARC vendor typically accepts, parses, and
visualizes the data on behalf of the customer. We included active vendors with more than 1,000 domains reported.

Q2 Vendor Rankings by Total Share of Domains and Percentage of Domains with Reject Policies
The chart shown on the next page provides a basic ranking of top vendors, corresponding to the number of domains that specify that
particular vendor in the “rua” field. We then apply a second filter indicating the all-important percentage of domains at the highest possible
DMARC enforcement policy setting of p=reject for each vendor, which is the policy level that will block phishing messages.

Quarter-over-quarter, there was some movement in overall vendor rankings, with slight improvements for some second tier vendors in
terms of the total percentage of domains with DMARC set at its top enforcement level.

                                                                                                                                                 Q2 2019
                                                                                                                                                 38
Assessing Vendor Attributes
THE SWEET SPOT: Category-leading vendors achieve that perfect combination of a large number of domains serviced across a wide
range of industries matched with high levels of top enforcement policy implementation. Finding a company that has high marks in both is
essential for those organizations looking to see success with DMARC implementation.

HIGHER QUANTITIES CAN SEE LOWER ENFORCEMENT: The “Goldilocks” ratio can be harder to achieve for mid-tier vendors, which
tend to struggle with the ratio of domains they service and what percentage of those records they succeed at converting to the highest

                                                                                                                                                                               AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
enforcement policies. Category leaders with high numbers of enterprise clients can face this challenge as well, as it is harder to have more
enterprise domains set to reject.

QUALITY VARIES WILDLY: About 315,000 of the domains that deployed DMARC are using a recognized DMARC provider, and about 6
million domains have DMARC deployed without using a major DMARC service provider. When selecting a vendor, enterprises with hundreds
or thousands of domains should consider vendors that have both high numbers of domains and a high-percentage enforcement rate in
order to better ensure success.

                             DMARC
                               DMARCPolicy  Observations
                                     Policy Observances OverOver Q1 2019
                                                            Q2 2019

                    150000                                                                                                 100%

                                                                                                                           90%

                    120000                                                                                                 80%

                                                                                                                                                    Domains Managed
# Domains Managed

                                                                                                                           70%
                                                                                                                                  % Reject Policy

                                                                                                                                                    Domains w/ Reject Policy
                    90000                                                                                                  60%

                                                                                                                           50%

                    60000                                                                                                  40%

                                                                                                                           30%

                                                                                                                                                                               Q2 2019
                    30000                                                                                                  20%

                                                                                                                           10%

                        0                                                                                                  0%
                                                                  r

                                                                                                                      ks
                                                               ze

                                                                              p
                                                   an

                                                                                       ox
                                        nt

                                                                                                         l
                                                                                             ok

                                                                                                                     or

                             Agari
                                                                               p

                                                                                                     ai
                                                             ly
                                     oi

                                                                            ka
                                                   ci

                                                                                       lb

                                                                                                    iM

                                                                                                                    w
                                                                                             0
                                                             na
                                     fp

                                                 ar

                                                                                      o

                                                                                            25
                                                                       ar

                                                                                                                 et
                                                                                                     l
                                                                                                  Va
                                                            A

                                                                                   To
                                   oo

                                             m

                                                                                                                                                                               39
                                                                        m

                                                                                                                N
                                                        C

                                                                                   X
                                             D

                                                                     st
                                 Pr

                                                                                                                a
                                                        R

                                                                                   M

                                                                                                           ud
                                                                  Po
                                                        A
                                                    M

                                                                                                            c
                                                                                                         ra
                                                   D

                                                                                                     ar
                                                                                                    B
DMARC Adoption By Geography
As a new feature to the quarterly trends report, ACID is looking at the state of DMARC adoption
by key geographies. As measured by domains for which a country code can be validated, this data
encompasses roughly 50% of our total pool of analyzed domains worldwide.

                                                                                                                                                                AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Germany Ahead in DMARC Records, United States in Enforcement
According to our analysis, Germany leads all survey geographies in registered domains with established DMARC records, accounting for
nearly a sixth of the world’s DMARC records overall, and the vast majority of domains for which a country code can be correlated.

Predictably, given the total volume,
                                                                         Top DMARC Overall                             Top 5 P Value = None
Germany also ranks highest in established
                                              1,200,000
DMARC records at the default monitor-                                                                        DE

only setting. As mentioned earlier, this                                                                     US

could reflect a high number of domains        1,000,000                                                      NL

that are automatically assigned DMARC                                                                        FR

records by registrars, even when a large       800,000                                                       ES

percentage of those domains may never                                                                              0      1M          2M          3M     4M

be used to send email.                         600,000
                                                                                                                       Top 5 P Value = Reject

Data for the United States paints a            400,000
                                                                                                             US

different picture. While it ranks a distant                                                                  NL

second in the total number of country-                                                                       DE
                                               200,000
coded domains assigned DMARC records,                                                                         IE

it is number one in DMARC records with an                                                                    GB

                                                                                                                                                                Q2 2019
established p=reject enforcement policy.             0
                                                          DE   US   NL   ES   FR   GB   RU   IE   TR   PL          0    100K   200K        300K   400K   500K

According to industry studies, the United
States is the most heavily-targeted nation
by cybercriminals, which may help to
explain this discrepancy.
                                                                                                                                                                40
Prominent Trends Across Top Companies
Our quarterly assessment of publicly available adoption data for the Fortune 500, Financial Times
Stock Exchange 100 (FTSE 100), and Australian Securities Exchange 100 (ASX 100), highlighting trends
among prominent organizations across geographies.

                                                                                                                                                 AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Fortune 500
The Fortune 500 is an annual list compiled and published by Fortune magazine that ranks 500 of the largest United States corporations
by total revenue for their respective fiscal years. The list includes publicly held companies, along with privately held companies for which
revenues are publicly available. It is a good indicator for how security is trending amongst large companies.

During the first quarter of the year, DMARC adoption remained
                                                                                       Fortune 500 DMARC Adoption
tepid, with the largest corporations continuing to implement
email authentication at a measured pace. Even for those that have                     3%          7%         10%        11%
                                                                              100
assigned DMARC records to their domains, the sizable proportion
                                                                                                                                    Reject
of “no record” and “monitor-only” policies dramatically increases
the likelihood of the organization being impersonated in phishing              80                                                   Quarantine
campaigns targeting their customers and other consumers and                           23%
businesses. But there has been progress.
                                                                               60
                                                                                                 33%                                None

DMARC Adoption – Just over 40% of the Fortune 500 with DMARC
records assigned to domains have yet to publish an enforcement                                              39%                     No Record
                                                                                                                       42%
policy. Nonetheless, this is up nearly 5% from December 2018.                  40

Quarantine Policy – Over 5% have implemented a quarantine policy

                                                                                                                                                 Q2 2019
to send phishing emails to the spam folder, in line with the previous          20

quarter.
                                                                                      73%        59%        46%        42%
Reject Policy – Just over 1 in 10 have implemented a reject policy to          0

                                                                                    Aug 2017   Sept 2018   Dec 2018   Mar 2019
block phishing attempts impersonating their brands. While relatively
low, that’s up roughly 8% from December 2018.                                                                                                    41
You can also read