AGARI CYBER INTELLIGENCE DIVISION - Agari: Trust Your Inbox

AGARI CYBERINTELLIGENCE DIVISION

REPORT

Q4 2019Email Fraud & Identity Deception Trends Global Insights from the Agari Identity Graph™

Executive Summary

Phishing and other email-based attacks may rank among the oldest tricks in the fraudster playbook, but they remain a distressingly effective way for cybercriminals to bilk businesses, their employees, customers, and the public at large out of billions. But they’re also far from static. Data captured in the latest quarterly analysis from the Agari Cyber Intelligence Division (ACID) substantiates how business email compromise (BEC), consumer-targeted brand impersonation scams, and other advanced email threats continue to mutate, switching up tactics to throw targets off-guard, even while retrofitting the tried-and-true in inventive new ways to boost their profits.

Attacks Impersonating Individuals Jump to 22%Phishing campaigns employing identity deception techniques impersonating trusted brands or individuals accounted for 64% of all advanced email attacks from July through September 2019. However, while these numbers are up in the aggregate, the composition of these deceptions is in flux. During the third quarter of 2019, the number of phishing campaigns impersonating brands dropped 6%. At the same time, email attacks impersonating individuals hit 22%, compared to just 12% in the previous quarter. While malicious emails impersonating well-known brands are generally associated with credentials-harvesting schemes, those spoofing trusted individuals are typically linked to more sophisticated, social engineering-based BEC attacks. SEE MORE

Employee-Reported Phishing Attacks Increase Response Times by 14%Employee-reported phishing incidents rose 6% during the second quarter, to more than 35,108 annually, while the number of false positives among those reports rose 7%. According to the Q4 ACID Phishing Incident Response Survey of professionals at 460 organizations with 1,000+ employees, the time needed to triage, investigate, and remediate each incident, including a larger number of false positives, rose by more than an hour per incident, a 14% increase—in the last three months. And while the average number of SOC analysts increased to 16.9 per organization, increasing employee-related phishing incidents pushed the gap between the number of analysts needed to handle these volumes up 23%. SEE MORE

DMARC Adoption Soars 49% in Past Year, But 87% of Fortune 500 Remain at RiskACID analyzed 8,244,356 domains with valid Domain Message Authentication, Reporting, and Conformance (DMARC) records as part of the largest ongoing study of DMARC adoption worldwide. The US and Germany remain leaders in the total number of domains with assigned DMARC records, with the US still #1 in the total percentage of domains with reject policies. Overall, adoption of the DMARC email authentication protocol is up 49% worldwide year-over-year. But most of the world’s most prominent corporations are still at risk from email-based brand impersonation scams targeting their customers, partners, and others. SEE MORE

Inside This ReportThe statistics presented here reflect information captured from the following sources from July through September:

Data extracted from trillions of emails analyzed and applied by Agari Identity Graph™

DMARC-carrying domains identified among 366 million+ domains crawled worldwide

Insights from our quarterly phishing incident survey of SOC professionals at 460 organizations

ACID is the only counterintelligence research team dedicated to worldwide BEC and spear phishing investigations and the identity deception tactics, criminal group dynamics, and relevant trends behind these and other advanced email threats. Created by Agari in 2018, ACID helps to mitigate cybercriminal activity by working with law enforcement and other trusted partners.

Table of Contents

Employee Phishing and Business Email Compromise Trends - Friend or Faux?: Attacks Spoofing Individuals on the Rise, But Brand Impersonations Persist 6

- BEC Breakout Session: Gift Cards Still Top Cash-Outs, But Transfers and Diversions Are Climbing 8

Phishing Incident Response Trends - Incident Response Challenges Escalate: Volume of Employee-Reported Phishing Attacks Continues to Mount 14

- Employee Reporting Tools Proliferate: Survey Respondents See Plentiful Options for Reporting Suspect Emails 15

- Breachonomics: Data Breach Risk Reductions from Automation Gain Urgency 19

- The Automation Index: Estimated Reductions in Breach Risk Average 59% 20

- Totaling It Up: Calculating The Savings from Automation 21

Consumer Phishing and DMARC Trends - DMARC Adoption Snapshot: The Industry’s Largest Ongoing Study of Adoption Rates Worldwide 23

- DMARC Breakout Session: Email Authentication Levels Inch Up, But Reject Policies Still Not Enforced 24

- Brand Indicators Adoption: BIMI Soars More Than 700% in First Three Quarters of 2019 29

About This Report 30

About the Agari Cyber Intelligence Division (ACID) 33

Employee Phishing and Business Email Compromise Trends

S In the aggregate, 64% of all advanced email attacks use identity deception techniques to impersonate trusted brands or individuals, up 11% since March.

While brand impersonation attacks persist, 22% of advanced email attacks now spoof individuals, compared to 12% from the previous quarter.

Gift cards remain the cash-out mechanism of choice for laundering proceeds from BEC attacks, while payroll diversions and wire transfer scams collectively rose nearly 10% in the last 90 days.

Friend or Faux? Attacks Spoofing Individuals on the Rise, But Brand Impersonations Persist

Cybercriminals continuously modulate their approaches to phishing, BEC scams, and other advanced email attacks as targets grow wise to their tactics. While brand impersonations still dominate, attacks impersonating specific individuals rose 10% from July through September. As this and other shifts take hold, mounting business losses remain the only constant in an ever-evolving email threat landscape.

Identity Deception Tactics Are in FluxIn aggregate, 64% of phishing campaigns employing identity deception techniques now use display names designed to hoodwink recipients into believing they’re from a known and trusted individual or brand. That’s up 11% since March, underscoring the growing role display name deception plays in the vast majority of advanced email attacks.

Over the last three months, 22% of phishing campaigns impersonated individuals in the initial email, compared to just 12% during the previous quarter. Meanwhile, those impersonating brands dropped six percent.

22% Look-alike DomainFrom: LinkedIn <noreply@liinkediin.com>To: Jan Bird <jan.bird@gs.com>Subject: Diana has endorsed you!

42% Display Name Deception (Brand)From: Chase Support <chase@gmail.com>To: Tom Frost <ffrost@amazon.com>Subject: Account Disabled

14% Compromised AccountFrom: Raymond Lim <rlim@contoso.com>To: Cong Ho <cho@contoso.com>Subject: PO 382313

22% Display Name Deception (Individual)From: Patrick Peterson <Patrick Peterson [hackyjoe@gmail.com]>To: Cong Ho <cong@agari.com>Subject: Follow up on Invoice Payment

Advanced Attacks

by Imposter Type

Why Even Small Shifts MatterGenerally speaking, malicious emails that impersonate well-known brands are associated with credentials-harvesting schemes, while phishing emails spoofing trusted individuals are typically linked to more sophisticated, social engineering-based attacks such as BEC or executive spoof scams.

Together with a 2% decline in attacks launched from compromised email accounts, current trendlines align with observations shared in our Q3 report. As we put it at the time, one line of reasoning suggests cybercriminal organizations may have spent the early part of this year in full intelligence-gathering mode, gearing up for more lucrative BEC attacks to come.

Time will tell, but the recent rise in email attacks spoofing trusted individuals could auger a period of heightened risk from BEC and other highly-sophisticated email scams in the months ahead.

BEC Breakout SessionGift Cards Still Top Cash-Outs, But Transfers and Diversions Are Climbing

While cybercriminal organizations have numerous options for laundering the spoils from their BEC scams, the gift card has emerged as the undisputed king of cash-outs. After all, they’re more anonymous, less reversible, and far more convenient than dealing with money mule intermediaries.

Yet while gift cards were requested in 56% of all BEC scams during the third quarter, that’s actually down from 65% in the previous quarter. At the same time, payroll diversions continued to gain traction, accounting for cash-outs in a quarter of all attacks. That’s up five percent in just the last three months. Meanwhile, nearly 1 in 5 BEC attacks were wire transfer scams—a four percent increase from the previous quarter.

19% Direct Transfer

56% Gift Card

25% Payroll Diversion

Type of BEC Attacks

Still, the modest rise in wire transfer attacks may be cause for concern. According to the U.S. Treasury Department, businesses lose as much as $300 million a month to BEC scams in all its forms. But half of those losses are attributed to con artists seeking wire transfers on fraudulent payments. In our report on the cybercriminal group Silent Starling, we look at a troubling new BEC trend that we call vendor email compromise (VEC), in which fraudsters use compromised employee email accounts to target not just one company, but entire supply chain ecosystems.

BEC Attack Type Average Median Minimum Maximum

Gift Card $1,571 $1,000 $200 $8,000

Wire Transfer $52,325 $24,958 $2,530 $850,790

Volume vs. Margin: The $300 Million-a-Month QuestionWhile gift cards remain the most frequently targeted cash-out mechanism in BEC scams, the amount of money an attacker can swindle per attack is far less than with wire transfers. During the past quarter, the average dollar amount for gift cards requested in BEC scams was just over $1,500, compared to more than $52,000 for attacks leveraging wire transfers. This disparity has made gift card-based BEC scams a numbers game propelled by volume and attack cadence.

Amount Requested per BEC Attack Type

How Fraudsters Are Shuffling the Deck on Gift Card Cash-Out RequestsOver the past quarter, BEC scammers requested 20 different types of gift cards. But cards belonging to five brands—Google Play, Steam Wallet, Amazon, Walmart, and eBay—continued to rank among the most dominant, figuring into nearly three in every four requests. Scams involving requests for gift cards from Walmart and eBay bumped those seeking cards from Apple iTunes out of the top five this quarter.

Gift Cards Requested in BEC Attacks

Google Play

Steam Wallet

Amazon

Apple iTunes

Walmart

Target

Home Depot

Best Buy

Messages

Subject Re: Hello

Okay, I'm in the middle of something and looking forward to surprise some of our staffs with Gift, Walmart gift cards and I want you to keep it between us pending when they get it. So, therefore, I need a Walmart Gift card of $500 face value each. I need 8 pieces) making a total amount of $4,000. you can purchase them at any Walmart wholesale store outlet close to you. I need you to get the physical card, then you scratch the back out and write each 16 digit and 4 pins numbers and email them to me asap. So quickly go to Any Walmart outlet around you and purchase them now. Can you get it done in 30 minutes to 1 hour?Awaiting your Reply. Regards,

<ceodesk@phone-wireless.com>

Devil to Pay: Diversion Scams Now 25% of All BEC Attacks

Email-based payroll diversion schemes rose 5% over the last three months, and now account for 1 in 4 BEC swindles.

These cons primarily target employees in Human Resources with emails designed to trick them into changing the direct deposit details for an employee or executive to a bank account controlled by the fraudster.

According to the FBI, the average loss reported in payroll diversion complaints was $7,904 during the first six months of 2019—an 815% increase year-over-year.

Messages

Subject Re: Sarah

I changed my bank and I’ll like to change my paycheck dd details, can the change be effective for the current pay date? Thanks,

<mdexecutives@cox.net>

More Than Half of BEC Scams Are Launched from Free Webmail AccountsEmail fraud rings continue to leverage free and temporary webmail accounts in the majority of BEC attacks. During the last quarter, 54% of BEC emails were sent from an easily-acquired webmail account. Gmail was the webmail platform of choice for these malicious campaigns, up nearly 14% just since June, while Roadrunner ranked second at 23% of all attacks. Together, these two platforms account for half of all webmail-based BEC attacks.

Look-Alikes Make an Altitude AdjustmentWhile webmail still reigns supreme, use of web platforms in BEC attacks actually dropped 8% in the last ninety days. Most of the volume shift was toward registered look-alike domains. Today, 40% of all BEC emails are sent from email accounts hosted on a domain registered by the perpetrators—up from 33% in our last report.

Perception Dupes RealityWhile there is usually a cost associated with registering a domain, this approach allows scammers to create a more credible looking email address, thus boosting the verisimilitude of their phony email messages. This also gives them the ability to set up phishing sites with HTTPS security to further project legitimacy. The remaining six percent of BEC emails appear to have been sent from compromised email accounts, which can be nearly impossible for many companies to detect.

6% Compromised or Spoofed Accounts

54% Free Webmail Providers

40% Registered Domains

Most Common Point-of-

Origin for BEC Scams

Roadrunner

Earthlink

Virgin Media

Phishing Incident Response Trends

S Thanks to increased volumes of employee-reported phishing incidents, the time required for SOC analysts to triage, investigate, and remediate reported incidents is up 14% in the past 90 days, to more than eight hours per incident.

Employees report an average 35,108 incidents annually, a 6% increase over the quarter, while the number of false positives rose by 7%.

Given increased volumes of reported phishing incidents, SOC headcount requirements jumped 23% in the last three months.

Incident Response Challenges Escalate Volume of Employee-Reported Phishing Attacks Continues to Mount

With three billion phishing emails sent each day, it is impossible to completely remove the risk that an employee will fall prey. For US companies, the costs associated with a data breach now average $8.19 million per incident. And the longer it takes to contain, the costlier it becomes.

According to the 2019 Verizon Data Breach Investigations Report (DBIR), phishing emails factor into as many as 94% of all successful data breaches. Meanwhile, Ponemon Institute pegs the odds of being hit by a breach at 14.8% per year. But that may be wishful thinking. As it turns out, the same tools businesses are putting in place to allay the threat from phishing may be making things worse.

Hitting the Panic Button: Fielding Attacks (Both Real and Imagined)Today, employees at most large organizations have the ability to report suspicious emails at the push of a button. But the sheer volume of reported attacks often ends up flooding security operations centers (SOCs) with more incidents to triage, investigate, and remediate than they can handle. The time it takes to identify and resolve breaches grows longer and more costly. And the need for SOCs to find ways to automate and accelerate the processes involved with incident response grows more urgent by the day.

Inside the ACID Phishing Incident Response SurveyACID’s quarterly survey of SOC professionals at 460 organizations ranging in size from 1,000 to 209,000 employees is designed to gain insights on incident response issues facing enterprises. This quarter’s survey participants include 280 respondents based in the US, and 180 in the UK. Questions capture volume, false positive rate, and the time required to investigate and remediate reported attacks. This section of the Q4 2019 Email Fraud and Identity Deception Trends Report highlights our analysis of survey responses.

Employee Reporting Tools Proliferate Survey Respondents See Plentiful Options for Reporting Suspect Emails

A decisive 99% this quarter’s survey respondents say their organizations give employees the ability to report suspected phishing attacks, often via a convenient button and/or abuse inbox for forwarding suspicious emails to the SOC team. That’s up 1% from last quarter’s survey, reflecting near universality of organizations utilizing such tools.

Respondents to this quarter’s survey also report that 90% of their organizations use phishing simulations to test employees’ ability to identify a phishing attack after participating in security awareness training. In most cases, these simulations are implemented via an outside vendor in order to provide an objective assessment of security vulnerabilities.

The remaining 10% of respondents report their organization does not yet conduct such testing, in modest variance with responses over the last few quarters.

1% No Ability to Report

99%Ability to Report

Ability to Report

Phishing

10% No

90%Yes

Phishing Simulation Adoption

30,000

25,000

20,000

15,000

10,000

35,000

UKUSGlobal

Average Number of Reported Phishing Incidents Per Organization Annually

Dec 2018 March 2019 July 2019 Sept 2019 Dec 2018 March 2019 July 2019 Sept 2019

UKUSGlobal#

55%52% 52%

Employee Reported Phishing False Positive Rate

Employee-Reported Incidents: Volume vs. AccuracyWith nearly all employees having the ability to report suspected phishing incidents, and nine in ten regularly tested on their ability to identify phishing emails, the net logical questions become: How many attacks are they reporting? What about accuracy? Based on this quarter’s survey results, SOCs receive roughly 35,108 employee-reported phishing incidents on an annualized basis. That’s up from 33,108 incident reports cited in the previous quarter, a 6% increase.

False Positive Rate Jumps 7%While the number of reported incidents continues to go up, the accuracy of those reports is going down in near equal measure. Over the last ninety days, the false positive rate for employee-reported phishing incidents jumped 7% on a global basis. In the United States, the rate increased 5% from 65% to 70%, while the false positive rate in the United Kingdom rose 4% from 52% to 56%.

Required Response Times SurgeAs a practical matter, SOC analysts must triage, investigate, and remediate all reported threats—whether they’re false positives or true attacks. On a global basis, it now takes an average 8.08 hours to complete the process, up more than an hour in just the last three months.

In the United States, the rate is up from 7.72 hours in the previous quarter—an increase of one full hour in that same time period. In the United Kingdom, the rate is up a little more than half an hour from the previous quarter.

On average, SOC analysts now spend 7.11 hours triaging a false positive, compared to 6.13 hours in the previous quarter. And they spend an average 8.08 hours triaging, investigating, and remediating a valid phish—an increase of nearly 45 minutes during the same time period.

6True Phish

False Positive

Global US UK

6.05 5.99

Average Time Per Phishing Incident to Triage, Investigate, and Remediate

Headcount Needs Rise 23% in Just The Last 90 DaysBesieged by an incessant stream of phishing incidents, the average number of SOC analysts per organization topped 16.9 during the third quarter of 2019—up from 15.3 in the previous quarter.

More than 90% of organizations report having at least one dedicated SOC analyst. Not surprisingly, the total number of dedicated analysts showed a strong correlation between company size, the number of phishing incidents, and the number of SOC employees. For example, 41% of organizations with more than 10,000 employees have twenty or more SOC analysts. The same is true of organizations with 60,000 or more phishing incidents per year.

The Q4 Staffing GapBased on the average 35,108 phishing incidents organizations face annually, along with the average time to remediate these incidents, the average SOC needs 136 analysts working forty hours a week on nothing but incident response in order to successfully remediate all reported emails.

But since the average number of SOC analysts in our survey is 16.9, that means there is a staffing gap of at least 119 full-time employees. That’s enough to staff an entire red team. And left unaddressed, this staffing gap will continue to result in a failure to detect phishing incidents, which opens each organization to the possibility of costly data breaches or fraud.

UKUSGlobal

14.615.3

16.915.9

17.216.6

11.9 1212.9

Average Number of SOC Analysts Employed

Dec 2018 March 2019 July 2019 Sept 2019

Breachonomics Data Breach Risk Reductions from Automation Gain Urgency

Today, phishing is directly involved with a third of all data breaches, and is a key factor of up to 94% of them, according to the 2019 Verizon Data Breach Investigations Report (DBIR). For US-based organizations, the average cost of each data breach is now $8.19 million, with a 14.8% probability of suffering at least one breach within the next year, according to Ponemon Institute. If you multiply the average breach cost of $8.19 million by the probability of 14.8%, the annual breach risk is $1.2 million.

The Verizon DBIR also finds that the average data breach results in exfiltration of data within minutes or hours—while it often takes months for the breach to be discovered. This is likely a symptom of understaffed and inefficient SOC processes for handling phishing incidents. Ideally, SOC analysts would be able to triage, investigate, and remediate reported phishing incidents within minutes, enabling the business to remediate the compromise and contain the breach.

This could easily save 90% of SOC analysts’ time, which could then be applied to far more important initiatives.

Seconds Minutes Hours Days Weeks Months Years

Exfiltration Discovery

Source: 2019 Verizon Data Breach Investigations Report

The Automation Index Estimated Reductions in Breach Risk Average 59%

When asked how cutting the time required for phishing incident response through automated processes would impact their overall breach risk, this quarter’s survey respondents estimated average risk reductions of 59%.

In the United States, that figure rose 2% from the previous quarter’s survey, to an average 58% reduction in breach risk, while in the United Kingdom, estimates rose 2% during the same period, to an average 50% reduction.

On a global basis, a 59% reduction in breach risk would result in a $708,000 decrease in annual breach risk for the average business.

UKUSGlobal

Risk Reduction Due to Automated Phishing Incident Response

54%51%50%

53%50%

48%45%

Dec 2018 March 2019 July 2019 Sept 2019

Totaling It Up Calculating The Savings from AutomationBased on the data captured in this quarter’s phishing incident response survey, it is possible to establish the variables needed to estimate the cost of manually handling phishing incidents, average breach risk, and the potential cost savings of automating the process.

Using averages for all variables, the detailed calculations above show a total annual cost to the SOC of $12.2 million and an average annual breach risk of $1.2 million—for a total cost $13.4 million per company.

By implementing automated phishing incident response processes that reduce the time to triage, investigate, and remediate phishing incidents by 90%, and reducing breach risk by 59%, organizations could save $10.9 million in SOC costs and $708,000 in breach risk—for a total savings of $11.71 million annually.

SOC ANALYST COSTS

8.08 Hours per Phishing Incident x 35,108 Incidents = 283,672 Hours of SOC Analyst Time 283,672 Hours ÷ 2,080 FTE Hours per Year = 136 FTEs 136 FTEs x $90,000 per FTE = $12.2M per Year

SOC ANALYST SAVINGS $12.2M – 90% SOC Time Savings = $11M Savings per Year

BREACH RISK REDUCTION

$8.19M Average Breach Loss x 14.8% Probability = $1.2M Breach Risk $1.2M Breach Risk – 59% Risk Reduction = $708,000 Breach Risk Reduction

TOTAL SAVINGS $11M SOC Analyst Time Savings + $708,000 Breach Risk Reduction = $11.71M Total Savings

To calculate a custom ROI for your organization, visit www.agari.com/roi

Consumer Phishing and DMARC Trends

S The number of raw DMARC policies soared 49% over the past year, though growth has waned in recent months.

87% of the Fortune 500 remains at risk of seeing their brands hijacked for use in email-based brand impersonation scams targeting their customers, partners, investors, and the public at large.

BIMI continues to gain traction, with 949 domains possessing an associated record, reflecting a 730% increase in the first three quarters of 2019.

DMARC Adoption Snapshot The Industry’s Largest Ongoing Study of Adoption Rates Worldwide

In a snapshot of more than 366 million Internet domains—the largest of any industry survey—we assess the state of DMARC implementation worldwide from July through September 2019. Overall, adoption is up 49% in the past year. But given the total universe of domains, brands continue to leave their partners, customers, and the public at risk.

Brand Protection: Why DMARC?Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an open standard email authentication protocol that helps businesses protect their domains from being used to send phishing emails.

Specifically, DMARC gives brands control over who is allowed to send emails on their behalf. It enables email receiver systems to recognize when an email isn’t coming from a specific brand’s approved domains, and gives the brand the ability to tell the email receiver systems what to do with those unauthorized email messages.

Failure to implement DMARC at p=reject, puts brands at risk of reputational damage from fraudsters using their domains to launch phishing attacks. These domains may also be blacklisted by receiver infrastructures, or experience reduced deliverability rates for their own legitimate email, hurting email-based marketing and revenue streams.

Brands looking to deploy DMARC are advised to begin with a p=none enforcement policy and work up to the p=reject policy through a well-defined DMARC implementation plan. When enforcement policies are set properly, DMARC has been shown to drive phishing-based impersonations to near zero.

Block (p=reject)QuarantineMonitor (p=none)

2000000

4000000

6000000

8000000

10000000

Block (p=reject)

Quarantine

Monitor (p=none)

Sept 2019June 2019Mar 2019Dec 2018Sept 2018

Domains with DMARC Policies

For more information on DMARC adoption and its benefits, visit www.agari.com/dmarc-guide

DMARC Breakout Session Email Authentication Levels Inch Up, But Reject Policies Still Not Enforced

Each quarter, ACID examines the state of DMARC adoption by key geographies. As measured by domains for which a country code can be validated, this data encompasses roughly 50% of our total pool of analyzed domains worldwide.

Germany continues to lead all geographies in registered domains with established DMARC records, and the vast majority of domains for which a country code can be correlated. However, most DMARC records here are at the default, monitor-only setting with 60.2% set to monitor only; and 34.7% set to p=reject.

By contrast, while the United States lags Germany in country-coded domains assigned DMARC records, a higher percentage (40.5%) of its domains have established DMARC records set to the p=reject enforcement level needed to protect against email-based brand impersonation scams.

500,000

1,000,000

1,500,000

2,000,000

TRPLESUKIEFRRUNLUSDE

Top 10 Countries with DMARC Policies

Top 10 Countries with DMARC Policies at p=reject

0 50K 100K 150K 200K 250K

500,000

1,000,000

1,500,000

2,000,000

0 50K 100K 150K 200K 250K

500,000

1,000,000

1,500,000

2,000,000

0 50K 100K 150K 200K 250K

500,000

1,000,000

1,500,000

2,000,000

0 50K 100K 150K 200K 250K

p=reject

DMARC Adoption Trends Among the World’s Largest Companies

Our quarterly assessment of publicly available adoption data for the Fortune 500, Financial Times Stock Exchange 100 (FTSE 100), and Australian Securities Exchange 100 (ASX 100) highlights trends among prominent organizations across geographies.

The charts offer a snapshot of DMARC adoption trends among some of the world’s most prominent corporations. It’s important to note that even companies that have assigned DMARC records to their domains are not truly protected unless they are set to the highest level of enforcement. The sizable proportion of “no record” and “monitor only” policies showcases that these organizations can still be impersonated in phishing campaigns that put their customers, investors, and the general public at risk of serious financial harm.

Fortune 500: Despite Progress, 87% of Companies UnprotectedWhile it can seem glacial, progress has been made. In the past year, the percentage of Fortune 500 companies with no DMARC policy assigned to any of their domains stands at 36%, down from 59% during the same quarter last year. However, 45% of those that have adopted DMARC have yet to set an enforcement policy.

Currently, only 13% of the Fortune 500 has a DMARC record set to the p=reject enforcement policy required to protect against phishing-based brand impersonation attacks targeting their customers, partners, and other organizations.

Reject Quarantine None No Record

Sept 2018 Dec 2018 Mar 2019 June 2019 Sept 2019

Fortune 500 DMARC Adoption

36%42%

46%59%

36%42%

46%59%

36%42%

46%59%

FTSE 100 DMARC Adoption

40%49%

53%59%

36%42%

46%59%

ASX 100 DMARC Adoption

47%55%

56%59%

FTSE 100: 84% of Companies Remain at Risk of Impersonation

After making significant improvements in the past year, only 16 of the UK’s FTSE 100 companies are fully protected by email authentication—unchanged from the previous quarter. However, three more companies have at least assigned DMARC records to their domains, putting the index nearly on par with the Fortune 500 on a percentage basis. Nonetheless, 84% of FTSE 100 companies do not yet have protections in place to prevent their brands from being hijacked in email attacks targeting customers.

Today, only eight of ASX 100 companies have implemented DMARC with the reject policy needed to block fraudsters from impersonating their brands—unchanged from last quarter. While the percentage of companies with no DMARC records assigned to their domains has dropped 12% in the past year, 41% of these companies have yet to take the first step in protecting their brand identities from being pirated in email attacks that put their customers, the public, and their investors at risk.

ASX 100: 92% of Top Companies Leaving Customers in Jeopardy

RetailHealthcareOtherTechFinanceUS Gov

15% 46%

46% 53% 57%

35%38%

DMARC Policy and Enforcement Trends for Key Industries

81% 16% 8% 7% 5% 4%

Reject

Quarantine

No Record

DMARC Adoption by Industry VerticalOur quarterly analysis of DMARC adoption is based on public DNS records for primary corporate and government website domains of large organizations with revenues above $1 billion.

Consistent with recent trends, the US government holds a commanding lead in DMARC policy attainment across all major sectors this past quarter, with roughly 81% of domains attaining DMARC implementation at a p=reject enforcement policy.

But it’s important to note that progress is still being made across industry sectors, with the percentage of domains without DMARC records dropping between 2-3% depending on the industry vertical.

Excluding government’s already high enforcement levels, all industry verticals in the index saw increases in p=reject enforcement policies of between one-half to 2%, with healthcare leading the way.

36%42%

46%59%

Agari CustomersGlobal

US Govt Finance Tech Other RetailHealthcare

Percentage of Domains at Enforcement

8% 7% 7%4%

60%55%

Note: The Agari Email Threat Center tracks authentication statistics across active domains belonging to customers of Agari. Passive or defensive domains that do not process email will not be reflected in the totals.

The Agari Advantage: Industry Enforcement Comparison Data in the Agari Email Threat Center enables us to understand how enforcement rates across industries compare with those of Agari customers.

Aggregating real-time DMARC statistics from the domains of top banks, social networks, healthcare providers, major government agencies, and thousands of other organizations, the Agari Email Threat Center is the largest set of detailed DMARC data in the world both in terms of email volume and domains. To generate real-time threat intelligence, the Agari Email Threat Center analyzed more than 350 million emails from more than 20,500 domains from July through September 2019.

Healthcare Resurges, Leapfrogs Retail—But Government Still ReignsDuring the third quarter of 2019, Healthcare took back ground lost to Retail in the previous quarter. But Government still outpaces all other sectors in implementing full enforcement for DMARC-enabled domains.

Healthcare’s gains continue to be propelled by the National Health ISAC and its pledge to match the US Government’s Binding Operational Directive 18-01, which has driven record-high DMARC implementations at full p=reject enforcement among Government agencies.

But other sectors, especially Agari’s Retail sector clients, continue to make strides. Cybercriminals are increasingly targeting retailers as they expand the number of online channels from which they market merchandise. With the all-important 2019 holiday shopping season coming fast, it’s clear retailers want to be prepared for what could be a barrage of attacks in the weeks ahead.

Brand Indicators Adoption BIMI Soars More Than 700% in First Three Quarters of 2019

Brand Indicators for Message Identification (BIMI) is a standardized way for brands to publish their brand logos online with built-in protections that safeguard against spoofing.

LinkedIn, eBay, Groupon, and Dropbox are just a handful of the widely-known brands that use BIMI to display their logo next to their email messages—enhancing brand presence as well as the ability for brands to control the logo that is displayed. BIMI will work only with email that has been authenticated through the DMARC standard and for which the domain owner has specified a DMARC policy of enforcement, so only authenticated messages can be delivered.

Q4 Snapshot: 85% Growth in BIMI Brand AdoptionAs of September 30, 949 domains added BIMI records along their top level domains, and any number of subdomains, during the preceding three months. That’s a significant jump from 511 logos during the second quarter of this year—and 730% more than the 130 logos seen in March.

It should be noted that smaller brands seeking to leverage the tremendous brand presence BIMI affords their logos by displaying them prominently within email clients make up a significant portion of the adoption increases. Look for this to precipitate faster growth among major brands aiming to avoid being outpaced by challenger brands, especially as Google has announced a BIMI pilot program beginning in 2020.

Because of its ability to help increase brand exposure and visibility even while protecting against brand impersonations, BIMI may soon be considered a “must-have” for brand email campaigns everywhere.

March 2019 June 2019 Sept 2019

Total Number of Domains with BIMI Records

About This ReportTaxonomy of Advanced Email ThreatsACID has established a classification system for cyber threats—a threat taxonomy—that breaks down common email- based attacks in terms of how they are carried out and what the perpetrators aim to achieve. This taxonomy helps readers understand the terms used in this report and what they mean to email security.

The metrics and data analyzed in this report are collected from the sources indicated below.

Aggregate Advanced Threat Protection DataFor inbound threat protection, Agari uses machine learning—combined with knowledge of an organization’s email environment—to model good, legitimate traffic. Each message received by Agari is scored and plotted in terms of email senders’ and recipients’ identity characteristics, expected behavior, and personal, organizational, and industry-level relationships. For the attack categorization analysis, we leveraged anonymous aggregate scoring data that automatically breaks out identity deception-based attacks that bypass upstream SEGs into distinct threat categories, such as display name deception, compromised accounts, and more.

Phishing Incident Response TrendsThis report presents results from a custom survey conducted by Agari during September 2019. The following charts summarize the demographics and location of the respondents.

Global DMARC Domain AnalysisFor broader insight into DMARC policies beyond what we observed in email traffic targeting Agari’s customer base, we analyzed 366 million domains, ultimately observing 8,244,155 domains with recognizable DMARC policies attached. This constantly updated list of domains serves as the basis for trend tracking in subsequent reports.

39% (180)UK

61% (280)US

36% (165)5–10K

8% (39)Unknown

Country

27% (122)10K+

29% (134)1–5K

Company Size

About ACIDThe Agari Cyber Intelligence Division (ACID) is the only counterintelligence research team dedicated to worldwide BEC and spear phishing investigation. ACID supports Agari’s unique mission of protecting digital communications so that humanity prevails over evil. ACID uncovers identity deception tactics, criminal group dynamics, and relevant trends in advanced email attacks. Created by Agari in 2018, ACID helps to impact the cyber threat ecosystem and mitigate cybercrime activity by working with law enforcement and other trusted partners.

Learn more at acid.agari.com

About AgariAgari is transforming the legacy Secure Email Gateway with its next-generation Secure Email Cloud™ powered by predictive AI. Leveraging data science and real-time intelligence from trillions of emails, the Agari Identity Graph™ detects, defends, and deters costly advanced email attacks including business email compromise, spearphishing, and account takeover. Winner of the 2018 Best Email Security Solution by SC Magazine, Agari restores trust to the inbox for government agencies, businesses, and consumers worldwide.

Learn more at agari.com

AGARI CYBERINTELLIGENCE DIVISION

View the 2020 Presidential Campaign Email Threat IndexTo see the latest information on which candidates have implemented email security

for their campaigns, visit: www.agari.com/election2020

Visit the Agari Threat CenterTo see up-to-date global and sector-based DMARC trends across the Agari customer

base, visit: www.agari.com/threatcenter

Calculate the ROI of Implementing AgariTo discover how much money you can save by adding Agari to your email security environment, visit: www.agari.com/roi

Get Free Trial www.agari.com/trial

Discover How Agari Can Improve Your Current Email Security InfrastructureAs your last line of defense against advanced email attacks, Agari stops attacks that bypass other technologies—protecting employees and customers, while also enabling incident response teams to quickly analyze and respond to targeted attacks.

AGARI CYBER INTELLIGENCE DIVISION - Agari: Trust Your Inbox

Documents

Transcript of AGARI CYBER INTELLIGENCE DIVISION - Agari: Trust Your Inbox

AGARI CYBER INTELLIGENCE DIVISION€¦ · Raymond has been out of the office this week. He just forwarded the email you sent him earlier this week and wanted me to see if you still

AGARI CYBER INTELLIGENCE DIVISION › cyber-intelligence-research › ...Big Enterprise Corporation This investigation by the Agari Cyber Intelligence Division (ACID) into the cybercriminal

Jo’s Inbox

Unified inbox

Inbox & Email Management

Agari Automation and Hosting Features

Concept inbox

Inbox Overload

AGARI CYBER INTELLIGENCE DIVISION · Despite lessons learned from the hacking of Clinton campaign chairman John Podesta’s email account and subsequent release of sensitive ... The

your inbox yourr inbox NEW YORK MEMBER NA ... - LIRealtor.com

AGARI CYBER INTELLIGENCE DIVISION · an attack email account to one of the group’s central operational email addresses. This test email is likely used to verify that a BEC email

iNbox Computers

Revive Your Inbox: Increase Inbox Productivity by Eliminating Distractions

WHAT IS INBOX? InBox , Lean office simulation, provides a ...

Inbox insight

Instructivo inbox

From SEG to SEC - Agari

The Total Economic Impact™ Of Agari Phishing Defense™

AGARI CYBER INTELLIGENCE DIVISION...into wiring their savings to criminals. We also saw a similar attack technique used to compromise a hospice organization. • Scammers are targeting

Revive Your Inbox: How To Organize Your Inbox Using Archive