agari cyber intelligence division · despite lessons learned from the hacking of clinton campaign...
TRANSCRIPT
REPORT
© 2019 Agari Data, Inc.
AGARI CYBERINTELLIGENCE DIVISION
Q2 2019 Email Fraud and Identity Deception TrendsGlobal Insights from the Agari Identity Graph™
2
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Executive Summary
Quarterly analysis from the Agari Cyber Intelligence Division (ACID) finds business email compromise (BEC), spear phishing, consumer-targeted brand impersonation scams, and other advanced email threats continue to evolve at a relentless pace, and could even put major US presidential candidates at risk from attacks targeting their staff and their voters as the 2020 election cycle ramps up.
Email Hacking: 2016 Redux, or Something Far Worse? Despite lessons learned from the hacking of Clinton campaign chairman John Podesta’s email account and subsequent release of sensitive emails on WikiLeaks, little progress has been made since the 2016 US presidential election. As the 2020 election cycle revs up, campaigns are still struggling with email security, primarily because few of the current and most prominent candidates have dedicated staff or resources to implement effective defenses. In fact, over 90% of the current presidential contenders rely on the easily-bypassed security controls built into their email platforms—almost exclusively Google Suite and Microsoft. While these controls offer basic defenses, they won’t protect against the kind of advanced email attacks likely to target campaign staff.
And that’s not the only kind of email threat candidates should fear. As of April 29, ACID analysis of domain data indicates only one of the leading candidates polling over 1%—Massachusetts Senator Elizabeth Warren (D)—has a DMARC record established for their domains with a policy that would prevent the campaign or the candidate from being impersonated in emails targeting donors, voters, and others. Given the stunning success of phishing and disinformation operations during the 2016 election cycle, 2020 is surely in the crosshairs of world-class hackers, especially as more than 90% of the leading candidates remain wide open to attack. SEE MORE
3
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Nearly 30% of BEC Attacks Now Originate from Compromised Email AccountsACID analysis finds continued volatility in the identity deception tactics used by cybercriminal organizations behind a growing number of BEC scams. The percentage of all phishing attacks employing identity-deception tactics that use a display name intended to impersonate a trusted individual or brand has dropped to 53%, but most troubling has been the steady increase in the use of compromised email accounts. From January through March 2019, 27% of all identity-deception attacks were launched from compromised accounts. That’s an increase of nearly 30% in just 90 days, making this the second-most prevalent form of identity deception technique. Because phishing attacks launched from compromised accounts are by far the hardest to detect and disrupt, they are especially effective at defrauding the rightful owners of the account—as well as targeted businesses. SEE MORE
Employee-Reported Phishing Attacks Reaching SOCs Surge 25% According to the Q2 ACID Phishing Incident Response Survey of 176 SOC professionals at 325 organizations with 1,000+ employees, the number of employee reported phishing attacks climbed 25% in the past quarter—increasing the total volume of incidents corporate security operations centers (SOCs) must remediate to an average of more than 29,000 annually. During this same period, the time needed to triage, investigate, and remediate each incident rose to an average of 6.5 hours. While the number of SOC analysts increased to 14, the gap between the number of analysts needed (90) and the actual number of analysts widened. SEE MORE
DMARC Adoption Rises a Tepid 1% While 90% of Fortune 500 Remains UnprotectedBy the end of March 2019, ACID identified 6.75 million domains with valid DMARC records out of 328 million total domains examined as part of the industry’s largest ongoing study of DMARC adoption worldwide. Germany ranks first in raw domains with established DMARC records, though the United States maintains the highest percentage of domains with DMARC records with a reject policy. Overall, domains with DMARC records rose 1%, with the rate of growth rising at a much slower pace than the previous quarter. This leaves the vast majority of the world’s most prominent companies vulnerable to email-based impersonation attacks targeting their customers, partners, and other businesses—including nearly 90% of the Fortune 500. SEE MORE
4
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Inside this ReportIn this quarterly report, we examine trends in phishing and email fraud perpetrated against businesses and their customers.
For the first time ever, we also begin tracking both Domain-based Message Authentication, Reporting and Conformance (DMARC) and Advanced Threat Protection adoption among presidential candidates seeking their parties’ nominations heading into next year’s 2020 US elections. This report includes a look at which campaigns may be most vulnerable to email-based impersonation scams that can damage candidates’ reputations, operational effectiveness, fundraising efforts, and even national security.
Also included are the results from our quarterly survey on the impact of phishing incident response in the enterprise, and the burden and cost for a security operations center (SOC) team to respond to employee-reported emails. The statistics presented here reflect information captured from the following sources from January through March 2019:
• Analysis of 2020 Presidential campaign email vulnerability based on DNS and MX record information• Data extracted from the 300 million+ daily model updates by the Agari Identity Graph™• DMARC-carrying domains identified within the 328 million+ domains crawled• Insights captured from a phishing incident survey of more than 250 cybersecurity professionals
The Agari Cyber Intelligence Division (ACID) is the only counterintelligence research team dedicated to worldwide BEC and spear phishing investigation. ACID supports Agari’s mission of protecting communications so that humanity prevails over evil. The ACID team uncovers identity deception tactics, criminal group dynamics, and relevant trends in advanced email threats. Created by Agari in 2018, ACID helps to impact the cyber threat ecosystem and mitigate cybercrime activity by working with law enforcement and other trusted partners.
5
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Table of Contents
Presidential Campaign Security 2020 - Deception 2020: US Elections Under Email Attack 9 - Enemies in the Inbox: Spear Phishing Attacks Should Raise Concerns for Candidates 10 - 2016 Presidential Redux—or Worse? DMARC Authentication Necessary for Voter Protection 12
Employee Phishing and Business Email Compromise (BEC) - Patterns of Deceit: Attacks from Compromised Accounts Continue to Surge 16 - C-Suite Phishing Trends: High-Value Executives See Rise in Identity Deception Attacks Impersonating Individuals 18 - BEC in the Spotlight: The Use of Free Accounts, Look-alike Domains, and Personalization 19
Phishing Incident Response Trends - Incident Response Trends: SOCs See Reported Phishing Attacks Jump 25% 24 - Employee Empowerment Evolves: Organizations Change Tactics for Employee Reporting 25 - Catching Phish: How Employees Report Suspected Attacks 26 - SOC Staffing Snapshot: Headcount Needs Nearly Double in 90 Days 31 - Data Breach Economics: Risk Reductions from Automation 32 - Totaling It Up: The Cost of Manual Response vs. the Savings from Automation 34
Customer Phishing and DMARC Trends - DMARC Adoption Snapshot: The Industry’s Largest Ongoing Study of Adoption Rates Worldwide 36 - Q2 Scorecard: Vendors and DMARC Service Providers 38 - DMARC Adoption By Geography 40 - Prominent Trends Across Top Companies 41 - Large Sector Analysis: DMARC Authentication by Vertical 44 - Industry Enforcement Comparison: The Agari Advantage by Vertical 45 - Brand Indicators Adoption Up 60% as More Brands Realize Its Value 46
About This Report 47About the Agari Cyber Intelligence Division (ACID) 48
6
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Key Terms A Taxonomy of Advanced Email ThreatsWith rising levels of cybercrime posing a serious threat to individuals, businesses, and governments, it is vitally important to codify a consistent set of terms to describe the different challenges that characterize this threat landscape. Not every email scam is a “phishing attack,” for instance.
For more information about the Agari Threat Taxonomy, see agari.com/taxonomy
To address this need, ACID has established a classification system for cyber threats—a threat taxonomy—that breaks down common email-based attacks in terms of how they are carried out and what the perpetrators aim to achieve. This taxonomy will help readers understand the terms used in this report and what they mean to email security.
Because email fraud centers around identity deception—the impersonation of trusted senders—in order to con recipients, we start with the method by which the impostor impersonates the trusted sender’s email account, making it appear as if the emails the impostor is sending are originating from the trusted party.
Sender
Recipient
Objective
Classification
Imposter Authentic
Account OwnerCompromised AccountDisplay Name DeceptionLook-alike DomainSpoof
Fraud
Social Engineering
Unsolicited Email
Spam Graymail
Legitimate Email
Misconfiguration
Scattershot
URL
Targeted
ConMalware
Internal
Monetary IP/Data/Credential Theft Denial of Service
Employees
External
Contractors Partners Customers
7
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Leading Attack Modalities Generally speaking, we observe three primary ways in which cybercriminals impersonate an email account:
LOOK-ALIKE DOMAINS AND DOMAIN SPOOFING: With look-alike domains, the cybercriminal registers a domain that is very similar to the legitimate domain he or she is seeking to impersonate. Look-alike domains are distinguished from domain spoofing, in which the attacker uses the actual email address of the impersonated identity in the “From” header—for example, “Company Customer Service.” Email authentication standards such as DMARC can be used by a domain owner to prevent spoofing of the domain, but are still not adopted widely by all businesses.
DISPLAY NAME DECEPTION: This happens when the cybercriminal inserts the name of the impersonated individual or brand into the “From” field within Gmail, Yahoo, or another free cloud-based email platform. These are also known as “friendly from” attacks.
COMPROMISED ACCOUNT ATTACKS: The cybercriminal sends targeted requests from an account that’s already been compromised— assuming the identity and the actual email account of the impersonated individual or brand, which is the most dangerous threat of all.
Different types or classes of attacks will entail different elements of this taxonomy.
A business email compromise (BEC) attack, for instance, can involve an impostor who aims to impersonate a trusted individual or brand using a look-alike domain, display name deception, or in the worst cases, a compromised legitimate account, leveraging sophisticated social engineering tactics to send highly personalized attacks. Impersonated individuals may be executives within the target’s own company, or an outside vendor or partner company. A BEC attack is targeted and uses a con with no URL or attachment.
By comparison, a phishing attack may use any identity deception technique and send more broad-based messages meant to fool someone into clicking on a malicious link that captures their username and password. When attacking businesses, display name deception is typically the tactic of choice for cybercriminals seeking to impersonate the email account of a trusted individual or brand.
SenderImposter Authentic
Account OwnerCompromised AccountDisplay Name Deception
Brand / Individual
Look-alike DomainSpoof
8
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Presidential Campaign Security 2020 Protecting the United States Election From Nation-State Attacks
9
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Deception 2020 US Elections Under Email AttackInitial findings show that major US presidential candidates are vulnerable both to phishing attacks against staff and to email scams impersonating their campaigns. This must be remedied as we move closer to the election, especially as cybercriminals and nation-state actors seek to derail candidates, defraud voters, and undermine democracy itself.
In the aftermath of the 2016 US presidential election and the hacking of Clinton campaign chairman John Podesta’s email account, email security has become a critical issue as the 2020 election cycle revs up.
It was only three years ago that Podesta was fooled by what appeared to be an “account alert” from his email provider, Google. The malicious link, and the resulting leak of damaging campaign emails on WikiLeaks helped derail Clinton’s bid for the presidency.
Fast-forward to 2019, and little has changed. Campaigns are still struggling with email security, primarily because very few candidates have dedicated staff or resources to implement critical email security defenses. The Department of Homeland Security offers training, but it tends to be designed for large federal agencies rather than the frenetic, on-the-fly campaign operations that are just starting to rev up for the primaries.
In fact, with the 2020 election cycle now underway, over 90% of the current presidential contenders rely on the easily-bypassed security controls that are built into their email platforms—almost exclusively Gmail and Microsoft Office 365. And while these security features provide basic protection, they are not enough to stop the advanced email attacks that are likely to target prominent candidates in the run-up to the election. Perhaps even more troubling, only one presidential candidate polling over 1% has implemented the DMARC policy needed to keep fraudulent email purporting to come from the campaign or the candidate themselves out of voter inboxes. The information here was collected on April 29, 2019. For an up-to-date
status on top candidates, see agari.com/election2020
10
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Enemies in the Inbox Spear Phishing Attacks Should Raise Concerns for CandidatesWhile the security controls of most webmail platform providers have grown adept at ferreting out malicious links and malware, they are powerless on their own against advanced, identity-based phishing attacks, and cybercriminals are taking advantage. Instead of relying solely on the kind of spear phishing approach used on Podesta, these operatives are now launching highly personalized, socially-engineered email messages designed to manipulate recipients into revealing sensitive information or login credentials before thinking to confirm the message’s legitimacy.
Advanced Email Security Is a Necessity for Serious CandidatesTo be sure, some attacks may still include “Past Due” or “Password Change Required”-style alerts designed to harvest email login credentials. But others may involve an “urgent request” from a trusted advisor, outside firm, or a senior campaign official asking the recipient to pay a vendor or forward confidential polling data or campaign information. Fortunately, much of this can be stopped by advanced email security controls that overlay on top of Microsoft Office or Gmail to stop advanced attacks like business email compromise, spear phishing, and others.
Despite the ease of implementing advanced email protection, the Agari Cyber Intelligence Division finds that only 3% of the current crop of US presidential candidates with an email-receiving domain or campaign website have implemented a solution to stop advanced threats.
All Candidates with Website
>1% Polling
17% Third-Party Advanced Email Security Provider
74% Google
9% Microsoft O�ce 365
6% Microsoft O�ce 365
3% Third-Party Advanced Email Security Provider
91% Unknown/On-Premises Gateway
Email Gateways
11
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
A vast majority of candidates are relying on the basic controls built into their cloud-based email platform. All this means is that these candidates are open to attack in the form of phishing and account takeovers—threats that could derail an entire campaign, smear a presidential candidate, and turn the wave of support against a leading presidential contender.
Leading Candidates Are at Risk for AttackOf the candidates polling over 1%, according to data from Real Clear Politics, the situation is not much better. One two candidates—Massachusetts Senator Elizabeth Warren and Former Massachusetts Governor Bill Weld—have put an advanced security solution in place to protect their staff from the email threats that could cause major headaches should they be successful.
Let’s hope more join them. Even with heavy investments on security and employee phishing training, 96% of corporate data breaches begin with an email, with more than 4,000 records are stolen every single minute. With these numbers, imagine what these criminals could do to a presidential bid.
The rapidly-evolving nature of campaign operations and their ad hoc ecosystem of advisors, pollsters, policy analysts, and other members of a candidate’s braintrust make them easy targets for world-class hackers—both foreign and domestic. As the race heats up and the press focuses more on our top contenders, so will nation-state actors who want to target the 2020 election and the United States democracy.
And unfortunately, these are not the only types of email threats that candidates should fear.
12
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
2016 Presidential Redux—or Worse? DMARC Authentication Necessary for Voter ProtectionThe fact is, there is another email-based threat that could pose a far graver danger to candidates and to our electoral system itself. For US congressional and presidential candidates with domains unprotected by the DMARC email authentication protocol, they risk finding their campaigns impersonated in phishing attacks targeting not their staff, but rather their most important constituents—including voters, donors, the press, and more.
In 2017, the US Department of Homeland Security issued BOD 18-01, a directive requiring all executive branch agencies to adopt DMARC with its top enforcement policy in order to address this same issue. DMARC helps ensure only authorized parties can send emails on an agency’s behalf, preventing agencies or individuals from that agency from being impersonated in attacks targeting other agencies, government officials, citizens, media outlets, foreign allies, and more.
To its credit, the US executive branch is now one of the leading industry verticals in the adoption of DMARC. But so far at least, no such directive has been set for the federal government’s legislative or judicial branches, let alone for the chaotic operations of congressional and presidential election campaigns.
Mission: ImpersonateGiven the stunning success of phishing and disinformation operations during the 2016 election cycle, 2020 is surely in the crosshairs of highly-networked cybercriminal organizations, some of them foreign adversaries, with access to all the same donor and voter data so critical to campaign success.
What happens if candidates for the highest office in the land are impersonated in phishing attacks targeting voters, donors, or the domestic or foreign press? What kind of fraudulent statements or mischaracterized policy positions could be attributed to these candidates and emailed to rival campaigns, the media, and key voters—including independents in battleground states?
13
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
And what happens when the negative publicity from such attacks leads these and other constituents to avoid opening a campaign’s legitimate email messages, including those focused on fundraising? Because email marketing has an average ROI of $38 for every $1 spent, impersonation attacks that hobble the email channel can quickly crush a candidate’s reputation, their fundraising ability, and their electoral viability. For these reasons and more, DMARC implementation should be the absolute baseline for email security for every campaign.
DMARC Adoption in the Danger Zone for Most CandidatesWhen implemented correctly, DMARC authentication at its highest level is the single most important element in stopping attacks that pose as trusted brands or individuals—including political candidates and their campaigns.
In late March, CNN reported that the Democratic National Committee held an online seminar to show campaigns how to implement DMARC. But as of April 29, our analysis of domain data indicates only one of the campaigns with polling averages above 1% have DMARC records established for their domains with a policy that would block phishing emails. This means 99% of all US presidential candidates and 92% of the top candidates are vulnerable to email-based impersonation attacks targeting their constituents and others.
All Candidates with Website
>1% Polling
99% Not Protected 92% Not Protected
1% Protected 8% Protected
14
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Leading Candidates Remain Vulnerable to AttacksOut of all candidates with polling averages above 1%, only five have DMARC records assigned to their domain. These include:
• Massachusetts Senator Elizabeth Warren (D)• New Jersey Senator Cory Booker (D)• Former Secretary of Housing and Urban Development Julian Castro (D)• Minnesota Senator Amy Klobuchar (D) • Current President Donald J. Trump (R)
But only Warren has a p=reject policy to stop unauthenticated emails from being delivered. Because a DMARC record does not prevent illegitimate mail from entering the inbox until the policy is set to p=reject, every other major candidate i still vulnerable to email-based impersonation—including current President Trump.
As such, voters should be wary of any email purporting to come from a candidate other than Elizabeth Warren. No other candidates have implemented the protocols necessary to keep fake email out of voter inboxes—a fact that should be remediated sooner rather than later to ensure voter trust throughout the election process.
15
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Employee Phishing and Business Email Compromise (BEC)
KE
Y F
IND
ING
S
An unfortunate increase of 35% means that 27% of advanced email attacks spawn from compromised accounts of trusted individuals and brands.
When targeting execs and high-value employees, attackers moved decisively to impersonating specific individuals in 37% of all email attacks, versus previous trends of impersonating common brands.
As a sign of growing sophistication and targeting inherent to BEC attacks, 20% of deceptive emails observed were personalized to include the name of the recipient in order to make them seem more legitimate.
16
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Patterns of Deceit Attacks from Compromised Accounts Continue to Surge More than a quarter of advanced email attacks are now launched from the compromised accounts of trusted individuals and brands—up 26% in just ninety days.
‘From’ Line Fraudsters: Identity Deception Tactics are Evolving FastToday, 53% of all phishing attacks employing identity-deception tactics use a display name intended to impersonate a trusted individual or brand in order to defraud an outside supplier, a customer, or other businesses—down from 63% in the previous quarter.
In most cases, attackers favor impersonating trusted brands at 34% over individuals at 19% of all attacks. But while both of these tactics attempt to deceive a recipient by impersonating a known entity, the purpose is typically very different for each.
Generally speaking, malicious emails that impersonate trusted brands are associated with credentials-harvesting attacks, while phishing emails spoofing specific individuals are typically linked to socially-engineered, recipient response-oriented attacks such as BEC or executive spoof scams.
20% Look-alike DomainFrom: LinkedIn <[email protected]>To: Jan Bird <[email protected]>Subject: Diana has endorsed you!
34% Display Name Deception (Brand)From: Chase Support <[email protected]>To: Tom Frost <�[email protected]>Subject: Account Disabled
27% Compromised AccountFrom: Raymond Lim <[email protected]>To: Cong Ho <[email protected]>Subject: PO 382313
19% Display Name Deception (Individual)From: Patrick Peterson <Patrick Peterson [[email protected]]>To: Cong Ho <[email protected]>Subject: Follow up on Invoice Payment
Advanced Attacks
by Imposter Type
17
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
The thing that is most notable this quarter is the continued increase in the use of compromised email accounts. From January through March 2019, 27% of all identity-deception attacks were launched from the compromised email account of a trusted individual or brand. That’s up from 20% in just three months, making this the second-most frequent type of identity-deception technique.
Legitimate email accounts that have been taken over by scammers can be a crushingly effective way to distribute phishing emails because they are, in a sense, trusted—allowing them to bypass mail filters more easily. The impact of this attack type cannot be overstated.
Attacks launched from compromised email accounts are by far the hardest to detect and disrupt, making them a serious vulnerability for the account’s legitimate owner and the companies involved. Indeed, a successful account takeover does not just give fraudsters the ability to impersonate the account’s owner. It also gives them access to the individual’s contacts, ongoing email conversations, and historical email archives—making it possible to craft new scams made all the more galling by their extraordinary personalization and crushing effectiveness.
Meanwhile, the remaining 20% of identity-deception emails use look-alike domains to send malicious content. While some of these domains can be simply spoofed and sent using basic mailing tools, many are actual domains registered by phishing threat actors.
18
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
C-Suite Phishing Trends High-Value Executives See Rise in Identity Deception Attacks Impersonating IndividualsDuring the first quarter of 2019, display name deception used to impersonate specific individuals was used in 37% of all email attacks targeting senior executives, compared to just 19% in overall malicious email campaigns.
The distribution of tactics used in phishing attacks diverges significantly from those used when targeting other employees. During the first quarter, display name deception used to impersonate specific individuals, the least common tactic among malicious emails overall, was used in the majority of phishing emails targeting the high-level executives. This dichotomy is driven by BEC scams that target CFOs and other financial executives with malicious emails appearing to be sent from an executive like the CEO, making this one of the most pernicious cyberthreats facing the enterprise.
15% Look-alike DomainFrom: LinkedIn <[email protected]>To: Jan Bird <[email protected]>Subject: Diana has endorsed you!
36% Display Name Deception (Brand)From: Chase Support <[email protected]>To: Tom Frost <�[email protected]>Subject: Account Disabled
12% Compromised AccountFrom: Raymond Lim <[email protected]>To: Cong Ho <[email protected]>Subject: PO 382313 37%
Display Name Deception (Individual)From: Patrick Peterson <Patrick Peterson [[email protected]]>To: Cong Ho <[email protected]>Subject: Follow up on Invoice Payment
Identity Deception
Attacksby Attack Category
For more information on how cybercriminals target the C-level, see agari.com/londonblue
Compromised account-based phishing scams, which are the second-most common email attack method overall, are rarely used when targeting senior executives, representing just 12% of attacks in the first quarter of 2019.
19
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
BEC in the Spotlight The Use of Free Accounts, Look-alike Domains, and PersonalizationThis past quarter, the Agari Cyber Intelligence Division took an in-depth look at the tactics used by threat actors in BEC campaigns, one of the costliest forms of phishing attacks businesses face today.
67% of Attacks are Launched from Free Webmail Accounts What makes today’s BEC campaigns so dangerous is that they can exact eye-popping returns with very little effort or overhead. Because emails used in these attacks do not contain malicious links or payloads, they easily bypass most common security controls in use today.
And in the vast majority of cases, BEC attackers use free and temporary email accounts to launch their campaigns. In fact, our data shows that two-thirds (67%) of BEC emails are sent from an easily-acquired webmail account.
In the first quarter of this year, the most commonly used email provider in these attacks was Roadrunner (rr.com), accounting for 15% of all BEC campaigns. AOL and Gmail ranked as the second and third most commonly used webmail providers for creating accounts used to send BEC phishing emails.
Top Ten Email Providers Used to Send BEC Emails
Roadrunner
AOL
Gmail
Lycos
Naver
Cox
Mailbox.org
Earthlink
Inbox.Iv
TWC
15.3%
12.8%
10.4%
4.1%
2.1%
2.0%
1.3%
1.2%
1.2%
1.0%
1
2
3
4
5
6
7
8
9
10
20
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
The Advantages of Look-alike Domains in BEC ScamsTwenty-eight percent of BEC campaigns in the first quarter were sent from email accounts hosted on a domain registered by the attacker. While there is usually a cost associated with registering a domain, the ability to create a more authentic-looking email address for use in attacks is worth the price for some.
Meanwhile, compromised email accounts belonging to other individuals or brands accounted for the remaining 5% of BEC attacks.
Regardless of the point of origin, the display name used in these attacks is almost always changed to impersonate a senior executive at target organizations.
5% Compromised
67% Webmail
28% Registered
Most Common Point-of-Origin
for BEC Scams
21
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Top 10 Subject Lines for Business Email Compromise ScamsCurious what a business email compromise scam actually looks like? In most cases, the initial email in a BEC attack is very brief and designed to elicit a response from a targeted recipient.
Similarly, the subject lines of BEC emails are frequently very generic, so as not to arouse suspicion. But they nearly always contain specific keywords meant to generate urgency.
In fact, 1 in 4 BEC emails observed over the past three months contained one of three words in the subject line: Quick, Request, or Urgent.
Top Ten Most Common Subject Lines in BEC Emails (Q1 2019)
Request
[FIRST NAME]
Task
Hello [FIRST NAME]
Hi [FIRST NAME]
7.6%
7.2%
3.7%
3.5%
2.5%
Payroll
quick task
[FIRST/LAST NAME]
Direct Deposit
Available?
2.1%
2.1%
1.9%
1.7%
1.5%
1
2
3
4
5
6
7
8
9
10
22
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
A Growing Number of BEC Emails are PersonalizedToday, 20% of BEC emails are personalized to include the name of the recipient in order to make them seem more legitimate. Rather than receiving a completely generic message, referencing the target’s name serves to lower a recipient’s defenses and lessen the likelihood they’ll recognize the scam.
Personalization also demonstrates the level of reconnaissance some cybercriminal organizations conduct prior to launching their malicious campaigns.
Instead of simply scraping email addresses from company websites, some BEC groups curate target lists of specific financial executives for use in crafting these personalized messages.
Our previous research has shown that many BEC groups use legitimate commercial services to construct tailored queries and collect comprehensive contact information for financial executives around the world.
Personalization vs. Non-Personalization
in BEC Attacks
20% PersonalizedSubject: Hello
Hello I am planning a surprise for some of the sta�s with gift cards and your confidentiality would be appreciated in order not to ruin the surprise. I need you to get some purchase done, email me once you get this.
Vice President of Marketing at AgariSent from a Mobile Device
80% Non-PersonalizedSubject: Hello
HiAre you in your o�ce? Send me a quick reply if you are free. Thanks
23
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Phishing Incident Response Trends
KE
Y F
IND
ING
S
Employees report an average of 29,028 phishing incidents to the security operations center each year per organization—a 25% increase in just 90 days.
The average time it takes to triage, investigate, and remediate reported phishing incidents jumped to 6.5 hours, a 35% increase in one quarter.
Costs for the security operations center to triage, investigate, and remediate employee reported phishing nearly doubled—exceeding $8.1 million.
24
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Incident Response Trends SOCs See Reported Phishing Attacks Jump 25%In today’s threat environment, there is no possible way to completely remove the risk that an employee will fall for a phishing email designed to defraud the company or steal sensitive information as part of a data breach. During the first quarter of 2019, the time required for security operations centers (SOCs) to respond to employee-reported phishing attacks spiked 32% in just 90 days.
For US-based companies, this matters—a lot. Today, the average cost of a breach is approaching $8 million, and the probability of falling victim to a breach is now 14% per year, according to Ponemon Institute. And it’s getting worse, in part because of the very mechanism businesses are putting in place to mitigate the issue.
The Unexpected Consequences of Employee-Reported Phishing AttacksIn addition to security awareness training and phishing simulations, the vast majority of businesses have provided employees with the ability to report suspected phishing emails. It is critical to understand how to leverage this threat feed to discover and contain breaches before data is exfiltrated.
All too often, employee-reported phishing emails end up flooding SOCs with more incidents to triage, investigate, and remediate than they can handle. As a result, it has become critically important for businesses to find ways to streamline and automate these processes. Otherwise, the time it takes to discover and resolve breaches will only grow longer—while valuable data, intellectual IP, and other important business information is exfiltrated by cybercriminals.
Inside the ACID Phishing Incident Response SurveyEvery quarter, ACID surveys SOC professionals at 280 organizations ranging in size from 1,000 employees to 209,000 employees in order to get a read on incident response issues. This quarter’s survey participants include 176 respondents based in the United States, and 84 in the United Kingdom.
The survey asks a series of questions regarding employee-reported phishing—including reporting mechanism, volume, false positive rate, existing tools for phishing incident response, and time required to investigate phishing. This section of the Q2 2019 Email Fraud and Identity Trends report highlights analysis of the responses to these questions.
25
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Employee Empowerment Evolves Organizations Change Tactics for Employee ReportingNinety-five percent of this quarter’s survey respondents report employees in their organizations have the ability to report phishing attacks, often via a convenient button and/or abuse inbox for forwarding suspicious messages to the security team.
While this is down 3% quarter-over-quarter, a growing number of organizations are adopting phishing simulations to test employees’ ability to detect a phishing incident after participating in security awareness training. A full 92% of this quarter’s survey respondents report their organizations use such simulations, up 4% from the previous quarter. In most cases, these simulations are implemented via an outside vendor to provide an objective assessment of security vulnerabilities.
Training Employees to Report Phishing
5% No Ability to Report
95% Ability to Report Phishing
Ability to Report
Phishing
8% No
92% Yes
Phishing Simulation Adoption
26
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Catching Phish How Employees Report Suspected AttacksMost companies offer multiple reporting methods, including filing a help desk trouble ticket, using the native email client phishing button, or implementing a third-party client such as the KnowBe4 phishing button. But today, the most common mechanism available to employees to report phishing is an [email protected] inbox.
Whether the phishing incident is reported through an inbox or a phishing button, the phishing email itself is forwarded to some combination of a security operations center or help desk support center, for investigation and remediation. In some cases, the mail platform (Microsoft Office 365 or Gmail) or phishing simulation vendor also receives a copy of the reported phishing messages.
Employee Options to Report Phishing (Global)
0
10
20
30
40
50
60
70
63%
58%
45%
37%
5%
0%
OtherNo Abilityto Report
Email Client(Third-Party
Vendor)
Email Client(Native)
ContactHelp DeskDirectly
Forward toAbuse Email
Address
27
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Employee-Reported Incidents: Volume and AccuracyWith so much empowerment, training, and testing designed to help employees recognize and report phishing incidents, just how many suspected attacks are reported? What about accuracy?
Based on the results to this quarter’s survey, respondents report roughly 29,028 phishing incidents per organization on an annual basis, with a slightly lower number of phishing incidents in UK-based companies.
In all, 56% of respondents reported a number of phishing incidents ranging from 12,000 to 36,000 per year.
0%
5%
10%
15%
20%
25%
30%
>6000036000–6000012000–360001200–120000<1200
20%
26%
30%
19%
6%
Volume Per Organization of Phishing Incidents
Average Number of Reported Phishing Incidents Per Organization Annually Distribution of Annual Reported Phishing Incidents (Global)
0
5000
10000
15000
20000
25000
30000
GlobalUKUS
Q1 Q2
28
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Employee-Reported Incidents: False Positive Rate Rises 10%The emails employee report are not always true phishing incidents. Security training often encourages users to report any suspicious email. As a result, spam, unwanted marketing emails, as well as legitimate email messages are often reported as phishing—even when they are not. In the first quarter of 2019, the false positive rate for employee-reported phishing incidents climbed 10% on a global basis. In the United States, the rate rose from 49% to 56%, while the United Kingdom saw a 3% decline over ninety days.
Employee-Reported Phishing False Positive Rate
0%
10%
20%
30%
40%
50%
60%
UKUSGlobal
55% 56%
26%
30%
52%
Employee Reported Phishing False Positive Rate
29
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Time Required for Triage, Investigation, Forensics, and Remediation
Phish Reporting
Employees report suspect message using phish button
PROBLEM:Employee reports are noisy and phishing training makes the problem worse for the SOC
Reports
SOC Triage
SOC handles reports, filtering out obvious false positives
PROBLEM:The tools & workflow for managing these reports are crude and inefficient—often just an Outlook mailbox
Forensic Analysis
SOC Analyst determines level of impact
PROBLEM:Understanding level of impact involves using lots of cutting & pasting across multiple forensic tools
Incident Remediation
SOC works with Messaging to address incidents
PROBLEM:Remediation often involves multiple groups and there isn’t effective data sharing between them
Alerts Incidents
Employees report suspect message using
phish button
Phish Reporting
SOC works with Messaging to address
incidents
Incident Remediation
SOC Analyst determines level
of impact
Forensic Analysis
SOC handles reports, filtering out obvious
false positives
SOC Triage
SOC handles reports, filtering out obvious
false positives
SOC Analyst determines level
of impact
SOC works with Messaging to address
incidents
Reports Alerts Incidents
©2019 Agari Data, Inc. All rights reserved. Confidential and Proprietary.40
Each quarter’s survey participants are asked: For employee phishing reports, how much time on average does it take a SOC analyst to triage, investigate, and remediate?” both in terms of true phishing incidents and false positive reports.
30
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Response Times Climbing FastOn a global basis, the overall average across all phishing incidents is now 6.5 hours to triage, investigate, and remediate. That number is up 32% from 4.9 hours in the course of ninety days. In the United States, the rate is up 1.86 hours, while in the United Kingdom, the rate is up by nearly a full hour.
On average, SOC analysts now spend 5.58 hours triaging a false positive, compared to 3.96 hours in the previous quarter. And they spend an average 6.64 hours triaging, investigating, and remediating a valid phish—an increase of .76 hours during the same time period.
The triage process generally involves a quick investigation of the sender domain and address, included links, and attachments to determine if the message is potentially malicious. This process is often manual, requires multiple third-party tools, and involves the judgement of the analyst—something that is not always 100% reliable.
Average Time per Phishing Incident to Triage. Investigate, and Remediate
0
1
2
3
4
5
6
7
8
UKUSGlobal
5.78
7.20
6.64
5.58 5.455.16
Average Time Per Phishing Incident to Triage, Investigate, and Remediate
True Phish
False Positive
Ho
urs
31
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
SOC Staffing Snapshot Headcount Needs Nearly Double in 90 DaysIn the face of this continuous barrage of phishing incidents, the average number of SOC analysts per organization hit 14.6 in the first quarter of 2019—up from 12.5 quarter-on-quarter.
More than 90% of organizations report having at least one dedicated SOC analyst. Not surprisingly, the analysis showed a strong correlation between company size, the number of phishing incidents, and the number of SOC employees.
For example, 41% of organizations with more than 10,000 employees have 20 or more SOC analysts. The same is true of organizations with 60,000 or more phishing incidents per year.
The Q2 Staffing Gap Based on the average number of phishing incidents and the average time to remediation (6.5 hours), the average SOC needs 90 analysts to handle the number of phishing incidents per company. Given that the average number of SOC analysts in our survey is 14.6, there is a widening staffing gap of at least 76 full-time equivalents (FTEs). This gap currently results in organizations failing to detect phishing incidents, which opens each organization to the possibility of breaches or fraud.
0
5
10
15
20
UKUSGlobal
14.615.9
12.0
30%
55%
Avg. Number of SOC Analysts Employed
# o
f A
nal
ysts
Average Number of SOC Analysts Employed
32
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Data Breach Economics Risk Reductions from AutomationToday, the entry point for 96% of all data breaches is well-targeted email, according to the 2018 Verizon Data Breach Investigations Report (DBIR). The average cost of a data breach in the United States is now $7.9 million, and organizations face an average 14% probability of suffering a breach within the next year, according to Ponemon Institute. If you multiply the average breach cost of $7.9 million by the probability of 14%, the annual breach risk is $1.1 million.
Meanwhile, the Verizon DBIR finds that the average data breach results in exfiltration of data within minutes or hours—while the average time-to-discovery takes months. This is likely a symptom of understaffed and inefficient SOC processes for handling phishing incidents. Ideally, SOC analysts would be able to triage, investigate, and remediate reported phishing incidents within minutes, enabling the business to remediate the compromise and contain the breach.
60%
40%
20%
0%
Seconds Minutes Hours Days Weeks Months Years
Exfiltration Discovery
Source: 2018 Verizon DBIR
33
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Q2 Automation Index As part of our quarterly phishing incident response survey, we asked respondents how much reducing the response time required for phishing incident response would reduce their breach risk. Overall, this quarter’s respondents felt their business could reduce breach risk by an average 51% by automating the process of phishing incident response.
In the United States, that figure rose 2% from the previous quarter, to an average 53% reduction in breach risk, while in the United Kingdom, estimates dropped 3% during the same period, to an average 45% reduction.
On a global basis, a 51% reduction in breach risk would result in a $561,025 decrease in annual breach risk for the average business.
0%
10%
20%
30%
40%
50%
60%
UKUSGlobal
51%53%26%
30%
45%
Risk Reduction Due to Automated Phishing Incident Response
Risk Reduction Due to Automated Phishing Incident Response
34
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Totaling It Up The Cost of Manual Response vs. the Savings from AutomationBased on the data captured in this quarter’s phishing incident response survey, it’s possible to establish the variables needed to estimate the cost of manually handling phishing incidents, average breach risk, and the potential cost savings of automating the process.
Using averages for all variables, the detailed calculations above show a total annual cost to the SOC of $8.1 million and an average annual breach risk of $1.1 million—for a total cost $9.2 million per company. By implementing automated phishing incident response processes that reduce the time to triage, investigate, and remediate phishing incidents by 90%, and the time to discover and remediate data breaches by up to 51%, organizations could save $7.29 million in SOC costs and $561,000 in breach risk—for a total savings of $7.85 million.
SOC ANALYST COSTS
6.5 Hours per Phishing Incident x 29,000 Incidents = 188,500 Hours of SOC Analyst Time 188,500 Hours ÷ 2080 FTE Hours per Year = 90 FTEs 90 FTEs x $90,000 per FTE = $8.1M
SOC ANALYST SAVINGS $8.1M – 90% SOC Time Savings = $7.29M Savings
BREACH RISK REDUCTION
$7.9M Average Breach Loss x 14% Probability of Breach = $1.1 M Breach Risk $1.1 M Breach Risk – 51% Risk Reduction = $561,000 Breach Risk Reduction
TOTAL SAVINGS $7.29M SOC Analyst Time Savings + $561,000 Breach Risk Reduction = $7.85M Total Savings
To calculate a custom ROI for your organization, visit agari.com/roi
35
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Customer Phishing and DMARC Trends
KE
Y F
IND
ING
S
By the end of March, ACID identified 6.75 million domains with valid DMARC records, up roughly 1% quarter-over-quarter.
Germany is the #1 region responsible for raw domains with DMARC records, though the United States took the top prize for the percentage of domains at a reject policy.
Only 25% of domains are configured to send email, with DMARC settings on the vast majority set to monitor-only.
36
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
DMARC Adoption Snapshot The Industry’s Largest Ongoing Study of Adoption Rates WorldwideDomain-based Message Authentication, Reporting and Conformance (DMARC) is an open standard email authentication protocol that helps businesses protect their brands and domains from being used to send fraudulent phishing emails. In a snapshot of more than 328 million Internet domains—the largest of any industry survey—we break down the state of DMARC implementation worldwide from January 1 through March 31, 2019.
Take Control of Your Domains DMARC gives brands control over who is allowed to send emails on their behalf. It enables email receiver systems to recognize when an email isn’t coming from a specific brand’s approved domains, and gives the brand the ability to tell the email receiver systems what to do with those unauthenticated email messages.
Failing to implement DMARC at p=reject results in an easily identifiable vulnerability. Cybercriminals often spoof domains in order to send large volumes of phishing attacks targeting the domain owner’s customers and partners. The ripple effect can be significant. The domain may suffer reputational damage, resulting in being blacklisted by some receiver infrastructures, or experience reduced deliverability rates for legitimate email, hurting email-based revenue streams. The effects may first show up in complaints that outgoing emails aren’t reaching recipients, often bouncing or being filtered by spam filters.
For more information on DMARC and the benefits of adoption, visit agari.com/dmarc-guide
0
1,000,000
2,000,000
3,000,000
4,000,000
5,000,000
6,000,000
7,000,000
8,000,000
Mar 2019Dec 2018Sept 2018Aug 2017
Domains with DMARC Policies
Block (p=reject)QuarantineMonitor (p=none)
37
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Brands looking to deploy DMARC are advised to start with DMARC p=none and work up to p=reject through a well-defined DMARC implementation plan. When enforcement policies are set properly, DMARC has been shown to drive down phishing rates impersonating brands to near zero.
The Picture Grows SharperBy crawling the entire public Internet domain space representing over 328 million domains, ACID was able to generate its latest snapshot of DMARC implementation rates worldwide from January through March 2019. Overall, there was continued growth in the DMARC adoption rate, but at a much slower pace than the previous quarter.
38
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Q2 Scorecard Vendors and DMARC Service ProvidersEach quarter, we assess how vendors and DMARC service providers are helping organizations use DMARC to protect their domains from email impersonation scams. The size of our dataset offers an unprecedented view into the number of domains for which vendors have established DMARC records, as well as how many of those records have been set to the highest enforcement level of p=reject. This combination of data points offers a snapshot of market share and success rates for each of these vendors.
How the Scorecard WorksAs a shorthand to determining a market share figure, we tabulated the number of times specific, well-known DMARC implementation vendors were specified as a recipient of reporting feedback via DMARC. The “rua” field that accepts an email address to receive aggregate DMARC data reports is a good proxy for this calculation. With this email address, the DMARC vendor typically accepts, parses, and visualizes the data on behalf of the customer. We included active vendors with more than 1,000 domains reported.
Q2 Vendor Rankings by Total Share of Domains and Percentage of Domains with Reject Policies The chart shown on the next page provides a basic ranking of top vendors, corresponding to the number of domains that specify that particular vendor in the “rua” field. We then apply a second filter indicating the all-important percentage of domains at the highest possible DMARC enforcement policy setting of p=reject for each vendor, which is the policy level that will block phishing messages.
Quarter-over-quarter, there was some movement in overall vendor rankings, with slight improvements for some second tier vendors in terms of the total percentage of domains with DMARC set at its top enforcement level.
39
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Assessing Vendor AttributesTHE SWEET SPOT: Category-leading vendors achieve that perfect combination of a large number of domains serviced across a wide range of industries matched with high levels of top enforcement policy implementation. Finding a company that has high marks in both is essential for those organizations looking to see success with DMARC implementation.
HIGHER QUANTITIES CAN SEE LOWER ENFORCEMENT: The “Goldilocks” ratio can be harder to achieve for mid-tier vendors, which tend to struggle with the ratio of domains they service and what percentage of those records they succeed at converting to the highest enforcement policies. Category leaders with high numbers of enterprise clients can face this challenge as well, as it is harder to have more enterprise domains set to reject.
QUALITY VARIES WILDLY: About 315,000 of the domains that deployed DMARC are using a recognized DMARC provider, and about 6 million domains have DMARC deployed without using a major DMARC service provider. When selecting a vendor, enterprises with hundreds or thousands of domains should consider vendors that have both high numbers of domains and a high-percentage enforcement rate in order to better ensure success.
0
30000
60000
90000
120000
150000
Barra
cuda
Network
s
ValiM
ail
250ok
MXTo
olbox
Postm
arka
pp
DMARC A
nalyz
er
Proofp
oint
Dmar
cian
Agari
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
Domains Managed
Domains w/ Reject Policy
DMARC Policy Observances Over Q2 2019
# D
om
ain
s M
anag
ed
% R
ejec
t P
olic
y
DMARC Policy Observations Over Q1 2019
40
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
DMARC Adoption By Geography
As a new feature to the quarterly trends report, ACID is looking at the state of DMARC adoption by key geographies. As measured by domains for which a country code can be validated, this data encompasses roughly 50% of our total pool of analyzed domains worldwide.
Germany Ahead in DMARC Records, United States in EnforcementAccording to our analysis, Germany leads all survey geographies in registered domains with established DMARC records, accounting for nearly a sixth of the world’s DMARC records overall, and the vast majority of domains for which a country code can be correlated.
Predictably, given the total volume, Germany also ranks highest in established DMARC records at the default monitor-only setting. As mentioned earlier, this could reflect a high number of domains that are automatically assigned DMARC records by registrars, even when a large percentage of those domains may never be used to send email.
Data for the United States paints a different picture. While it ranks a distant second in the total number of country-coded domains assigned DMARC records, it is number one in DMARC records with an established p=reject enforcement policy. According to industry studies, the United States is the most heavily-targeted nation by cybercriminals, which may help to explain this discrepancy.
Top DMARC Overall Top 5 P Value = None
Top 5 P Value = Reject
PLTRIERUGBFRESNLUSDE
FR
ES
NL
US
DE
0
200,000
400,000
600,000
800,000
1,000,000
1,200,000
0 1M 2M 3M 4M
IE
GB
NL
US
DE
0 100K 200K 300K 500K400K
41
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
During the first quarter of the year, DMARC adoption remained tepid, with the largest corporations continuing to implement email authentication at a measured pace. Even for those that have assigned DMARC records to their domains, the sizable proportion of “no record” and “monitor-only” policies dramatically increases the likelihood of the organization being impersonated in phishing campaigns targeting their customers and other consumers and businesses. But there has been progress.
DMARC Adoption – Just over 40% of the Fortune 500 with DMARC records assigned to domains have yet to publish an enforcement policy. Nonetheless, this is up nearly 5% from December 2018.
Quarantine Policy – Over 5% have implemented a quarantine policy to send phishing emails to the spam folder, in line with the previous quarter.
Reject Policy – Just over 1 in 10 have implemented a reject policy to block phishing attempts impersonating their brands. While relatively low, that’s up roughly 8% from December 2018.
Prominent Trends Across Top Companies
Our quarterly assessment of publicly available adoption data for the Fortune 500, Financial Times Stock Exchange 100 (FTSE 100), and Australian Securities Exchange 100 (ASX 100), highlighting trends among prominent organizations across geographies.
Fortune 500The Fortune 500 is an annual list compiled and published by Fortune magazine that ranks 500 of the largest United States corporations by total revenue for their respective fiscal years. The list includes publicly held companies, along with privately held companies for which revenues are publicly available. It is a good indicator for how security is trending amongst large companies.
0
20
40
60
80
100
Reject
Quarantine
None
No Record
Mar 2019Dec 2018Sept 2018Aug 2017
23%
3%
33%
7%
39%
10%
42%
42%46%59%73%
11%
Fortune 500 DMARC Adoption
42
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
FTSE 100The Financial Times Stock Exchange 100 Index, more commonly known as the FTSE 100, is a share index of the top 100 companies listed on the London Stock Exchange (LSE). It is seen as the benchmark reference for those seeking an indication on the performance of major companies in the United Kingdom.
Just under half of the top 100 public companies in the UK do not have a DMARC record for their corporate domains. The lack of DMARC implementation means an organization’s customers, suppliers, and other consumers and businesses remain vulnerable to phishing and the losses associated with email scams bearing the organization’s name.
DMARC Adoption – During the first quarter of 2019, there was a 4% increase in the number of FTSE 100 companies publishing a DMARC policy. This marks the first quarter that more than half of all FTSE companies have domain records for their corporate domains.
Quarantine Policy – Only one percent have implemented a quarantine policy to send phishing attempts to spam. This percentage is unchanged from the previous quarter.
Reject Policy – Only 14 companies have implemented a reject policy to block phishing-based brand impersonations. That’s a 3% increase from the previous period.
0
20
40
60
80
100
Reject
Quarantine
None
No Record
Mar 2019Dec 2018Sept 2018Aug 2017
26%
6%
34%
9%
35%
11%
36%
49%53%59%73%
14%
FTSE 100 DMARC Adoption
43
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
ASX 100The ASX 100 is Australia’s stock market index, representing its top 100 large and mid-cap securities.
It appears significant educational efforts are required to boost DMARC adoption in this region, which remains nearly unchanged from Q4 2018. Today, 55% of ASX 100 companies have yet to take the first step in adopting DMARC to combat the threat from brand impersonation attacks bearing their name.
DMARC Adoption – Despite a 1% increase during the last quarter, more than half of the ASX has yet to publish a DMARC policy, showcasing how few companies are thinking about email security.
Quarantine Policy – Two percent have implemented a quarantine policy—the same as the prior quarter.
Reject Policy – Only seven percent have implemented a reject policy, unchanged from Q4 2018.
0
20
40
60
80
100
Reject
Quarantine
None
No Record
Mar 2019Dec 2018Sept 2018Aug 2017
23%
3%
33%
7%
35%
7%
36%
55%56%59%73%
7%
ASX 100 DMARC Adoption
44
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Large Sector Analysis DMARC Authentication by VerticalAs part of our quarterly analysis of DMARC adoption, we examine public DNS records for primary corporate and government website domains of large organizations with revenues above $1 billion.
This quarter, the US Government is hands down the leader in DMARC policy attainment across all major sectors, with 81% of domains attaining DMARC implementation at a p=reject enforcement policy. While most other sectors experienced negligible changes in adoption over the last quarter, the percentage of healthcare industry domains without a DMARC record dropped 3%.
However, most of these records appear to have been published without an enforcement policy, leaving the associated domains open to email-based impersonation scams targeting their customers and business partners.
0
20
40
60
80
100
RetailHealthcareOtherTechFinanceUS Gov
14% 49%
33%
44%
41%
50% 57% 61%
32%35%
40%
4%
DMARC Policy and Enforcement Trends for Key Industries
81% 15% 7% 6% 5% 4%
Reject
Quarantine
None
No Record
45
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Industry Enforcement Comparison The Agari Advantage by Vertical
Healthcare Takes the LeadSegmenting by the same industry groupings presented in the previous section, we compare the respective enforcement levels for each vertical category with that of Agari customers. For the first time ever, healthcare has surpassed the government sector to rank highest among all in the percentage of domains at enforcement in our quarterly reports.
This is remarkable, as healthcare as a vertical moved from the lowest enforcement rate in the Threat Center in Q4 2017 to rank second by year-end 2018. By March 2019, it had surged past government, which had been the enforcement leader amongst Agari customers for some time.
Healthcare’s momentum is likely driven by the National Health ISAC, which issued a companion pledge for DMARC attainment to match that of the US Government’s Binding Operational Directive 18-01. BOD 18-01 was issued in October 2017 and has been the driving factor behind the sky-high adoption rates for executive branch agencies. Agari healthcare sector customers appear to have also attained that goal—and then some.
By looking at the data in the Agari Email Threat Center, we can take a look at how enforcement rates across industries compare with those of Agari customers.
Aggregating real-time DMARC statistics from the domains of top banks, social networks, healthcare providers, major government agencies, and thousands of other organizations, the Agari Email Threat Center is the largest set of detailed DMARC data in the world based both on email volume and domains. To generate real-time threat intelligence, the Agari Email Threat Center analyzed more than 537 billion emails from over 48,000 domains from January through March 2019.
0
20
40
60
80
100
Agari CustomersGlobal
HealthcareOtherUS Govt Finance Tech Retail
Percentage of Domains at Enforcement
4%
68%
7%
69%
15%
69%
81% 79%
6%
70%
4%
81%
Note: The Threat Center tracks authentication statistics across active domains belonging to Agari’s customers. Passive or defensive domains that do not process email will not be reflected in the totals. Overall, as indicated previously, the Agari reject rate across all industries in the global domain snapshot is 80%.
46
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
Brand Indicators Adoption Up 60% as More Brands Realize Its ValueBrand Indicators for Message Identification (BIMI) is a standardized way for brands to publish their brand logo online with built-in protections that safeguard the brand, application providers, and consumers from impersonation attempts.
Groupon, Aetna, eBay, and Capital One are just some of the brands that use BIMI to display their logo next to their email messages—enhancing brand presence as well as providing assurance to recipients that the message is safe to open. BIMI will work only with email that has been authenticated through the DMARC standard and for which the domain owner has specified a DMARC policy of enforcement, so only authenticated messages can be delivered.
Q2 BIMI Snapshot: A 60% Increase in Brand AdoptionAs of March 2019, 130 brand logos use BIMI with their top level domains, and any number of additional subdomains. This is up from 81 logos in January, making it a 60% increase in just ninety days. With a growing number of pilots underway, look for this figure to climb in coming months. Because of its ability to help increase brand exposure and visibility even while protecting against brand impersonations, it may soon be considered “must-have” for brand email campaigns everywhere.
47
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
About This ReportThis report contains metrics from data collected and analyzed by the following sources:
Aggregate Advanced Threat Protection DataFor inbound threat protection, Agari uses machine learning—combined with knowledge of an organization’s email environment—to model good or authentic traffic. Each message received by Agari is scored and plotted in terms of email senders’ and recipients’ identity characteristics, expected behavior, and personal, organizational, and industry-level relationships. For the attack categorization analysis, we leveraged anonymous aggregate scoring data that automatically breaks out identity deception-based attacks that bypass upstream SEGs into distinct threat categories, such as display name deception, compromised account, and more.
Phishing Incident Response TrendsThis report presents results from a custom survey conducted by Agari during March 2019. The following charts summarize the demographics and location of the respondents.
Global DMARC Domain AnalysisFor broader insight into DMARC policies beyond what we observed in email traffic targeting Agari’s customer base, we analyzed 328,540,568 domains, ultimately observing 6,755,877 domains with recognizable DMARC policies attached. This constantly updated list of domains serves as the basis for trend tracking in subsequent reports.
Respondent Characteristics
32% (84)UK
68% (176)US
Country
27% (71)10K+
51% (131)1–5K
22% (58)5–10K
Company Size
48
Q2
20
19A
GA
RI
|
E
MA
IL F
RA
UD
& ID
EN
TIT
Y D
EC
EP
TIO
N T
RE
ND
S
About the Agari Cyber Intelligence Division (ACID)The Agari Cyber Intelligence Division (ACID) is the only counterintelligence research team dedicated to worldwide BEC and spear phishing investigation. ACID supports Agari’s unique mission of protecting communications so that humanity prevails over evil. ACID uncovers identity deception tactics, criminal group dynamics, and relevant trends in advanced email attacks. Created by Agari in 2018, ACID helps to impact the cyber threat ecosystem and mitigate cybercrime activity by working with law enforcement and other trusted partners.
Learn more at acid.agari.com.
About AgariAgari is transforming the legacy Secure Email Gateway with its next-generation Secure Email Cloud™ powered by predictive AI. Leveraging data science and real-time intelligence from trillions of emails, the Agari Identity Graph™ detects, defends, and deters costly advanced email attacks including business email compromise, spear phishing, and account takeover. Winner of the 2018 Best Email Security Solution by SC Magazine, Agari restores trust to the inbox for government agencies, businesses, and consumers worldwide.
Learn more at www.agari.com.
© 2019 Agari Data, Inc.
AGARI CYBERINTELLIGENCE DIVISION
View the 2020 Presidential Campaign Email Threat Index
To see the latest information on which candidates have implemented email security for their campaigns, visit: www.agari.com/election2020
Visit the Agari Threat Center
To see up-to-date global and sector-based DMARC trends across the Agari customer base, visit: www.agari.com/threatcenter
Calculate the ROI of Implementing Agari
To discover how much money you can save by adding Agari to your email security environment, visit: www.agari.com/roi
Discover How Agari Can Improve Your Current Email Security Infrastructure
As your last line of defense against advanced email attacks, Agari stops attacks that bypass other technologies—protecting employees and customers, while also enabling incident response teams to quickly analyze and respond to targeted attacks.
Get Free Trial www.agari.com/trial