Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

Threat From Spoofed Emails Grows, While DMARC Implementation Lags

Email remains the biggest single cyber threat to business. Phishing can introduce malware either directly or later via stolen credentials, while BEC scam emails can lead to direct financial loss.

Email remains the biggest single cyber threat to business. Phishing can introduce malware either directly or later via stolen credentials, while BEC scam emails can lead to direct financial loss.

Phishing has two costs. The most obvious is compromise-related, such as January’s $240,000 ransom payment by the University of Maastricht following a successful phishing attack (which doesn’t include associated clean-up costs). The second is the cost of handling and mitigating incoming phishing emails.

“People tend to snicker, when they hear about email scams because they immediately think of the old Prince of Nigeria schemes,” comments Patrick Peterson, founder and CEO at Agari. “But those schemes have matured into sophisticated, socially-engineered attacks that equate to billions of dollars in reported fraud loss. Phishing scams are a gateway to money-laundering crimes. So, for the biggest companies in the world to overlook basic cybersecurity measures, like email authentication or automation, is baffling.”

Agari’s Cyber Intelligence Division (ACID), which concentrates on email threat investigations, has found (PDF) that 60% of employee-reported suspect emails are false positives. Nevertheless, each report must be triaged and investigated by the security team, which must spend time investigating something that is statistically likely to be benign, rather than investigating more certain threats. The second cost associated with fraudulent emails — the cost of mitigating them — is at the cost of other security tasks.

The figures come from ACID’s direct engagement with threat actors, from its analysis of trillions of emails, and from conversations with SOC professionals in six large companies.

Business email comprise (BEC) continues to grow. The latest FBI IC3 report, says, “In 2019, IC3 recorded 23,775 complaints about BEC, which resulted in more than $1.7 billion in losses.” Agari’s figures flesh this out. Gift card scams, where the fraudulent email seeks to persuade a company employee to purchase gift cards ostensibly for other members of staff or business contacts, are the preferred attack. 

“During the last three months of 2019, gift cards were requested in 62% of all BEC scams, compared to 56% during the previous quarter,” notes the report. The increase is not surprising during the winter holiday season, but seems to part of a continuing trend. Wire transfer scams also increased from 19% to 22%, while payroll diversion scams fell from around 25% to 16%.

There is another shift within the fraudulent emails. Criminals are increasingly impersonating individuals rather than brands. Thirty-six percent of all phishing attacks impersonate a well-known brand, but this is down 6% on the previous quarter. During the same period, emails impersonating individuals grew from 12% to 31%. The reason is probably simple: an email from a real, possibly known, person will be far more compelling than an ‘unsigned’ anonymous email.

Agari also notes the growing incidence of what it calls ‘vendor email compromise‘, or VEC. Attackers “are now infiltrating email accounts within one organization to attack organizations throughout its entire supply chain ecosystem,” says Agari. The crime group known as Ancient Tortoise, for example, attempts to compromise aging reports from accounts payable teams and then launch attacks on the company’s entire customer base using fraudulent invoices or requests for changes to payment details.

The best solution to fraudulent email attacks would be universal adoption of the two standards, DMARC and BIMI. Use of the Domain-based Message Authentication, Reporting, and Conformance (DMARC) standard is increasing but only defends a tiny proportion of the overall internet. “DMARC,” explains Agari, “enables email receiver systems to recognize when an email isn’t coming from a specific brand’s approved domains, and gives the brand the ability to tell email receiver systems what to do with these unauthorized email messages.”

DMARC can be installed in any one of three modes: monitor only, quarantine, and reject. Only the reject mode is secure; the quarantine mode is better than nothing but does not guarantee that the target will not see the email; and monitor only is no different to having no DMARC. To put this in context, the number of Fortune 500 companies with a DMARC record assigned to any of their domains has risen from 61% to 66%. However, 44% have DMARC set to no enforcement, and 7% have enforcement set to quarantine. Only 15% have DMARC properly enforced to reject emails that falsely claim to come from one of their domains. Eighty-five percent of Fortune 500 companies are not using DMARC to protect themselves and their customers from fraudulent emails.

Brand Indicators for Message Identification (BIMI) is less a standard per se than a standardized way by which companies can associate their brand, visibly, with genuine emails. BIMI adoption, says Agari, has increased tenfold since March 2019. It allows companies to display their logos next to emails that have already been verified by DMARC, providing immediately recognizable proof that the email is safe. This helps the consumer, but also helps promotes brand awareness of the company concerned.

The email threat is so longstanding and pervasive that it seems to have become part of the landscape. While large organizations can deploy expensive and sophisticated solutions to protect themselves from fraudulent incoming emails, DMARC remains the best solution to protect their customers from phishing attempts that use their brand name to add trust.

Related: Agari Employs Active Defense to Probe Nigerian Email Scammers 

Related: Presidential Candidates’ Use of DMARC Improves, Yet Short of Optimum 

Related: Inside the Operations of a West African Cybercrime Group 

Related: 2020 U.S. Presidential Candidates Vulnerable to Email Attacks

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Less than a week after patching critical security defects affecting multiple enterprise-facing products, VMware is warning that one of the flaws is being exploited...