Q2 2019 Email Fraud and Identity Deception Trends Global Insights from the Agari Identity Graph
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
AGARI CYBER
INTELLIGENCE DIVISION
REPORT
Q2 2019
Email Fraud and Identity Deception Trends
Global Insights from the Agari Identity Graph™
© 2019 Agari Data, Inc.Executive Summary
Quarterly analysis from the Agari Cyber Intelligence Division (ACID) finds business email compromise
(BEC), spear phishing, consumer-targeted brand impersonation scams, and other advanced email
threats continue to evolve at a relentless pace, and could even put major US presidential candidates at
risk from attacks targeting their staff and their voters as the 2020 election cycle ramps up.
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Email Hacking: 2016 Redux, or Something Far Worse?
Despite lessons learned from the hacking of Clinton campaign chairman John Podesta’s email account and subsequent release of sensitive
emails on WikiLeaks, little progress has been made since the 2016 US presidential election. As the 2020 election cycle revs up, campaigns
are still struggling with email security, primarily because few of the current and most prominent candidates have dedicated staff or
resources to implement effective defenses. In fact, over 90% of the current presidential contenders rely on the easily-bypassed security
controls built into their email platforms—almost exclusively Google Suite and Microsoft. While these controls offer basic defenses, they
won’t protect against the kind of advanced email attacks likely to target campaign staff.
And that’s not the only kind of email threat candidates should fear. As of April 29, ACID analysis of domain data indicates only one of the
leading candidates polling over 1%—Massachusetts Senator Elizabeth Warren (D)—has a DMARC record established for their domains with a
policy that would prevent the campaign or the candidate from being impersonated in emails targeting donors, voters, and others. Given the
stunning success of phishing and disinformation operations during the 2016 election cycle, 2020 is surely in the crosshairs of world-class
hackers, especially as more than 90% of the leading candidates remain wide open to attack. SEE MORE
Q2 2019
2Nearly 30% of BEC Attacks Now Originate from Compromised Email Accounts
ACID analysis finds continued volatility in the identity deception tactics used by cybercriminal organizations behind a growing number of
BEC scams. The percentage of all phishing attacks employing identity-deception tactics that use a display name intended to impersonate
a trusted individual or brand has dropped to 53%, but most troubling has been the steady increase in the use of compromised email
accounts. From January through March 2019, 27% of all identity-deception attacks were launched from compromised accounts. That’s an
increase of nearly 30% in just 90 days, making this the second-most prevalent form of identity deception technique. Because phishing
attacks launched from compromised accounts are by far the hardest to detect and disrupt, they are especially effective at defrauding the
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
rightful owners of the account—as well as targeted businesses. SEE MORE
Employee-Reported Phishing Attacks Reaching SOCs Surge 25%
According to the Q2 ACID Phishing Incident Response Survey of 176 SOC professionals at 325 organizations with 1,000+ employees, the
number of employee reported phishing attacks climbed 25% in the past quarter—increasing the total volume of incidents corporate security
operations centers (SOCs) must remediate to an average of more than 29,000 annually. During this same period, the time needed to
triage, investigate, and remediate each incident rose to an average of 6.5 hours. While the number of SOC analysts increased to 14, the gap
between the number of analysts needed (90) and the actual number of analysts widened. SEE MORE
DMARC Adoption Rises a Tepid 1% While 90% of Fortune 500 Remains Unprotected
By the end of March 2019, ACID identified 6.75 million domains with valid DMARC records out of 328 million total domains examined as
part of the industry’s largest ongoing study of DMARC adoption worldwide. Germany ranks first in raw domains with established DMARC
records, though the United States maintains the highest percentage of domains with DMARC records with a reject policy. Overall, domains
with DMARC records rose 1%, with the rate of growth rising at a much slower pace than the previous quarter. This leaves the vast majority
of the world’s most prominent companies vulnerable to email-based impersonation attacks targeting their customers, partners, and other
businesses—including nearly 90% of the Fortune 500. SEE MORE
Q2 2019
3Inside this Report
In this quarterly report, we examine trends in phishing and email fraud perpetrated against businesses and their customers.
For the first time ever, we also begin tracking both Domain-based Message Authentication, Reporting and Conformance (DMARC) and
Advanced Threat Protection adoption among presidential candidates seeking their parties’ nominations heading into next year’s 2020 US
elections. This report includes a look at which campaigns may be most vulnerable to email-based impersonation scams that can damage
candidates’ reputations, operational effectiveness, fundraising efforts, and even national security.
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Also included are the results from our quarterly survey on the impact of phishing incident response in the enterprise, and the burden and
cost for a security operations center (SOC) team to respond to employee-reported emails. The statistics presented here reflect information
captured from the following sources from January through March 2019:
• Analysis of 2020 Presidential campaign email vulnerability based on DNS and MX record information
• Data extracted from the 300 million+ daily model updates by the Agari Identity Graph™
• DMARC-carrying domains identified within the 328 million+ domains crawled
• Insights captured from a phishing incident survey of more than 250 cybersecurity professionals
The Agari Cyber Intelligence Division (ACID) is the only counterintelligence research team dedicated to worldwide BEC and spear phishing
investigation. ACID supports Agari’s mission of protecting communications so that humanity prevails over evil. The ACID team uncovers
identity deception tactics, criminal group dynamics, and relevant trends in advanced email threats. Created by Agari in 2018, ACID helps to
impact the cyber threat ecosystem and mitigate cybercrime activity by working with law enforcement and other trusted partners.
Q2 2019
4Table of Contents
Presidential Campaign Security 2020
--Deception 2020: US Elections Under Email Attack 9
--Enemies in the Inbox: Spear Phishing Attacks Should Raise Concerns for Candidates 10
--2016 Presidential Redux—or Worse? DMARC Authentication Necessary for Voter Protection 12
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Employee Phishing and Business Email Compromise (BEC)
--Patterns of Deceit: Attacks from Compromised Accounts Continue to Surge 16
--C-Suite Phishing Trends: High-Value Executives See Rise in Identity Deception Attacks Impersonating Individuals 18
--BEC in the Spotlight: The Use of Free Accounts, Look-alike Domains, and Personalization 19
Phishing Incident Response Trends
--Incident Response Trends: SOCs See Reported Phishing Attacks Jump 25% 24
--Employee Empowerment Evolves: Organizations Change Tactics for Employee Reporting 25
--Catching Phish: How Employees Report Suspected Attacks 26
--SOC Staffing Snapshot: Headcount Needs Nearly Double in 90 Days 31
--Data Breach Economics: Risk Reductions from Automation 32
--Totaling It Up: The Cost of Manual Response vs. the Savings from Automation 34
Customer Phishing and DMARC Trends
--DMARC Adoption Snapshot: The Industry’s Largest Ongoing Study of Adoption Rates Worldwide 36
--Q2 Scorecard: Vendors and DMARC Service Providers 38
--DMARC Adoption By Geography 40
--Prominent Trends Across Top Companies 41
--Large Sector Analysis: DMARC Authentication by Vertical 44
Q2 2019
--Industry Enforcement Comparison: The Agari Advantage by Vertical 45
--Brand Indicators Adoption Up 60% as More Brands Realize Its Value 46
About This Report 47
About the Agari Cyber Intelligence Division (ACID) 48
5Key Terms
A Taxonomy of Advanced Email Threats
With rising levels of cybercrime posing a serious threat to individuals, businesses, and governments,
it is vitally important to codify a consistent set of terms to describe the different challenges that
characterize this threat landscape. Not every email scam is a “phishing attack,” for instance.
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
To address this need, ACID has established a
Imposter Authentic
classification system for cyber threats—a threat Sender
taxonomy—that breaks down common email- Spoof Look-alike Domain Display Name Deception Compromised Account Account Owner
based attacks in terms of how they are carried out
and what the perpetrators aim to achieve. This Fraud Unsolicited Email Legitimate Email
taxonomy will help readers understand the terms Social Engineering Spam Graymail Misconfiguration
used in this report and what they mean to email Classification
Scattershot Targeted
security.
URL Malware Con
Because email fraud centers around identity
deception—the impersonation of trusted senders— Internal External
Recipient
in order to con recipients, we start with the Employees Contractors Partners Customers
method by which the impostor impersonates
the trusted sender’s email account, making it
Objective Monetary IP/Data/Credential Theft Denial of Service
appear as if the emails the impostor is sending are
originating from the trusted party.
For more information about the Agari Threat Taxonomy, see agari.com/taxonomy
Q2 2019
6Leading Attack Modalities
Generally speaking, we observe three primary ways in which cybercriminals impersonate an email account:
LOOK-ALIKE DOMAINS AND DOMAIN SPOOFING: With look-alike domains, the cybercriminal registers a domain that is very similar
to the legitimate domain he or she is seeking to impersonate. Look-alike domains are distinguished from domain spoofing, in which the
attacker uses the actual email address of the impersonated identity in the “From” header—for example, “Company Customer Service.” Email
authentication standards such as DMARC can be used by a domain owner to prevent spoofing of the domain, but are still not adopted
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
widely by all businesses.
DISPLAY NAME DECEPTION: This happens when the cybercriminal inserts the name of the impersonated individual or brand into the
“From” field within Gmail, Yahoo, or another free cloud-based email platform. These are also known as “friendly from” attacks.
Imposter Authentic
Sender
Spoof Look-alike Domain Display Name Deception Compromised Account Account Owner
Brand / Individual
COMPROMISED ACCOUNT ATTACKS: The cybercriminal sends targeted requests from an account that’s already been compromised—
assuming the identity and the actual email account of the impersonated individual or brand, which is the most dangerous threat of all.
Different types or classes of attacks will entail different elements of this taxonomy.
A business email compromise (BEC) attack, for instance, can involve an impostor who aims to impersonate a trusted individual or brand
using a look-alike domain, display name deception, or in the worst cases, a compromised legitimate account, leveraging sophisticated social
engineering tactics to send highly personalized attacks. Impersonated individuals may be executives within the target’s own company, or an
Q2 2019
outside vendor or partner company. A BEC attack is targeted and uses a con with no URL or attachment.
By comparison, a phishing attack may use any identity deception technique and send more broad-based messages meant to fool someone
into clicking on a malicious link that captures their username and password. When attacking businesses, display name deception is typically
the tactic of choice for cybercriminals seeking to impersonate the email account of a trusted individual or brand.
7Presidential Campaign Security 2020
Protecting the United States Election From
Nation-State Attacks
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Q2 2019
8Deception 2020
US Elections Under Email Attack
Initial findings show that major US presidential candidates are vulnerable
both to phishing attacks against staff and to email scams impersonating
their campaigns. This must be remedied as we move closer to the election,
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
especially as cybercriminals and nation-state actors seek to derail
candidates, defraud voters, and undermine democracy itself.
In the aftermath of the 2016 US presidential election and the hacking of Clinton campaign
chairman John Podesta’s email account, email security has become a critical issue as the 2020
election cycle revs up.
It was only three years ago that Podesta was fooled by what appeared to be an “account alert”
from his email provider, Google. The malicious link, and the resulting leak of damaging campaign
emails on WikiLeaks helped derail Clinton’s bid for the presidency.
Fast-forward to 2019, and little has changed. Campaigns are still struggling with email security,
primarily because very few candidates have dedicated staff or resources to implement critical
email security defenses. The Department of Homeland Security offers training, but it tends to be
designed for large federal agencies rather than the frenetic, on-the-fly campaign operations that
are just starting to rev up for the primaries.
In fact, with the 2020 election cycle now underway, over 90% of the current presidential contenders
Q2 2019
rely on the easily-bypassed security controls that are built into their email platforms—almost
exclusively Gmail and Microsoft Office 365. And while these security features provide basic protection,
they are not enough to stop the advanced email attacks that are likely to target prominent
candidates in the run-up to the election. Perhaps even more troubling, only one presidential
candidate polling over 1% has implemented the DMARC policy needed to keep fraudulent email
purporting to come from the campaign or the candidate themselves out of voter inboxes. The information here was collected on April 29, 2019. For an up-to-date
status on top candidates, see agari.com/election2020 9Enemies in the Inbox
Spear Phishing Attacks Should Raise Concerns for Candidates
While the security controls of most webmail platform providers have grown adept at ferreting out
malicious links and malware, they are powerless on their own against advanced, identity-based phishing
attacks, and cybercriminals are taking advantage. Instead of relying solely on the kind of spear phishing
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
approach used on Podesta, these operatives are now launching highly personalized, socially-engineered
email messages designed to manipulate recipients into revealing sensitive information or login
credentials before thinking to confirm the message’s legitimacy.
Advanced Email Security Is a Necessity for Serious Candidates
To be sure, some attacks may still include “Past Due” or “Password Change Required”-style alerts designed to harvest email login credentials.
But others may involve an “urgent request” from a trusted advisor, outside firm, or a senior campaign official asking the recipient to pay a
vendor or forward confidential polling data or campaign information. Fortunately,Email
much of this can be stopped by advanced email security
Gateways
controls that overlay on top of Microsoft Office or Gmail to stop advanced attacks like business email compromise, spear phishing, and others.
Despite the ease of implementing
advanced email protection, the Agari 3% Third-Party 17% Third-Party
Cyber Intelligence Division finds 6% Microsoft Advanced Email Advanced Email
O365 or EOL Security Provider Security Provider
that only 3% of the current crop of
US presidential candidates with an
All Candidates 9% Microsoft
email-receiving domain or campaign O365 or EOL >1% Polling
with Website
website have implemented a solution
to stop advanced threats.
Q2 2019
91% Unknown/
On-Premises Gateway 74% Google
10A vast majority of candidates are relying on the basic controls built
into their cloud-based email platform. All this means is that these
candidates are open to attack in the form of phishing and account
takeovers—threats that could derail an entire campaign, smear
a presidential candidate, and turn the wave of support against a
leading presidential contender.
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Leading Candidates Are at Risk for Attack
Of the candidates polling over 1%, according to data from Real Clear
Politics, the situation is not much better. One two candidates—
Massachusetts Senator Elizabeth Warren and Former Massachusetts
Governor Bill Weld—have put an advanced security solution in place
to protect their staff from the email threats that could cause major
headaches should they be successful.
Let’s hope more join them. Even with heavy investments on security
and employee phishing training, 96% of corporate data breaches
begin with an email, with more than 4,000 records are stolen every
single minute. With these numbers, imagine what these criminals
could do to a presidential bid.
The rapidly-evolving nature of campaign operations and their ad hoc
ecosystem of advisors, pollsters, policy analysts, and other members
of a candidate’s braintrust make them easy targets for world-class
hackers—both foreign and domestic. As the race heats up and the
press focuses more on our top contenders, so will nation-state actors
who want to target the 2020 election and the United States democracy.
Q2 2019
And unfortunately, these are not the only types of email threats that
candidates should fear.
112016 Presidential Redux—or Worse?
DMARC Authentication Necessary for Voter Protection
The fact is, there is another email-based threat that could pose a far graver danger to candidates and to
our electoral system itself. For US congressional and presidential candidates with domains unprotected
by the DMARC email authentication protocol, they risk finding their campaigns impersonated in
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
phishing attacks targeting not their staff, but rather their most important constituents—including voters,
donors, the press, and more.
In 2017, the US Department of Homeland Security issued BOD 18-01, a directive requiring all executive branch agencies to adopt DMARC
with its top enforcement policy in order to address this same issue. DMARC helps ensure only authorized parties can send emails on
an agency’s behalf, preventing agencies or individuals from that agency from being impersonated in attacks targeting other agencies,
government officials, citizens, media outlets, foreign allies, and more.
To its credit, the US executive branch is now one of the leading industry verticals in the adoption of DMARC. But so far at least, no such
directive has been set for the federal government’s legislative or judicial branches, let alone for the chaotic operations of congressional and
presidential election campaigns.
Mission: Impersonate
Given the stunning success of phishing and disinformation operations during the 2016 election cycle, 2020 is surely in the crosshairs of
highly-networked cybercriminal organizations, some of them foreign adversaries, with access to all the same donor and voter data so
critical to campaign success.
What happens if candidates for the highest office in the land are impersonated in phishing attacks targeting voters, donors, or the domestic
Q2 2019
or foreign press? What kind of fraudulent statements or mischaracterized policy positions could be attributed to these candidates and
emailed to rival campaigns, the media, and key voters—including independents in battleground states?
12And what happens when the negative publicity from such attacks leads these and other constituents to avoid opening a campaign’s
legitimate email messages, including those focused on fundraising? Because email marketing has an average ROI of $38 for every $1 spent,
impersonation attacks that hobble the email channel can quickly crush a candidate’s reputation, their fundraising ability, and their electoral
viability. For these reasons and more, DMARC implementation should be the absolute baseline for email security for every campaign.
DMARC Adoption in the Danger Zone for Most Candidates
When implemented correctly, DMARC authentication at its highest level is the single most important element in stopping attacks that pose
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
as trusted brands or individuals—including political candidates and their campaigns.
1% Protected 8% Protected
All Candidates
>1% Polling
with Website
99% Not Protected 92% Not Protected
In late March, CNN reported that the Democratic National Committee held an online seminar to show campaigns how to implement
DMARC. But as of April 29, our analysis of domain data indicates only one of the campaigns with polling averages above 1% have DMARC
records established for their domains with a policy that would block phishing emails. This means 99% of all US presidential candidates and
92% of the top candidates are vulnerable to email-based impersonation attacks targeting their constituents and others.
Q2 2019
13Leading Candidates Remain Vulnerable to Attacks
Out of all candidates with polling averages above 1%, only five have DMARC records
assigned to their domain. These include:
• Massachusetts Senator Elizabeth Warren (D)
• New Jersey Senator Cory Booker (D)
• Former Secretary of Housing and Urban Development Julian Castro (D)
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
• Minnesota Senator Amy Klobuchar (D)
• Current President Donald J. Trump (R)
But only Warren has a p=reject policy to stop unauthenticated emails from being
delivered. Because a DMARC record does not prevent illegitimate mail from entering
the inbox until the policy is set to p=reject, every other major candidate i still
vulnerable to email-based impersonation—including current President Trump.
As such, voters should be wary of any email purporting to come from a candidate
other than Elizabeth Warren. No other candidates have implemented the protocols
necessary to keep fake email out of voter inboxes—a fact that should be remediated
sooner rather than later to ensure voter trust throughout the election process.
Q2 2019
14Employee Phishing and Business Email
Compromise (BEC)
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
An unfortunate increase of 35%
means that 27% of advanced
email attacks spawn from
compromised accounts of
trusted individuals and brands.
When targeting execs and
high-value employees,
attackers moved decisively
to impersonating specific
KEY FINDINGS
individuals in 37% of all email
attacks, versus previous
trends of impersonating
common brands.
As a sign of growing
sophistication and targeting
inherent to BEC attacks, 20%
Q2 2019
of deceptive emails observed
were personalized to include
the name of the recipient in
order to make them seem
more legitimate. 15Patterns of Deceit
Attacks from Compromised Accounts Continue to Surge
More than a quarter of advanced email attacks are now launched from the compromised accounts of
trusted individuals and brands—up 26% in just ninety days.
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
‘From’ Line Fraudsters: Identity Deception Tactics are Evolving Fast
Today, 53% of all phishing attacks employing identity-deception tactics use a display name intended to impersonate a trusted individual or
brand in order to defraud an outside supplier, a customer, or other businesses—down from 63% in the previous quarter.
In most cases, attackers favor impersonating trusted brands at 34% over individuals at 19% of all attacks. But while both of these tactics
attempt to deceive a recipient by impersonating a known entity, the purpose is typically very different for each.
Generally speaking, malicious emails that impersonate trusted brands are associated with credentials-harvesting attacks, while phishing emails
spoofing specific individuals are typically linked to socially-engineered, recipient response-oriented attacks such as BEC or executive spoof scams.
20%
Look-alike Domain
From: LinkedIn
To: Jan Bird 34%
Subject: Diana has endorsed you!
Display Name Deception (Brand)
Advanced From: Chase Support
To: Tom Frost
Attacks
Subject: Account Disabled
by Imposter Type
Q2 2019
27%
Compromised Account
From: Raymond Lim 19%
To: Cong Ho Display Name Deception (Individual)
Subject: PO 382313
From: Patrick Peterson 16
To: Cong Ho
Subject: Follow up on Invoice PaymentThe thing that is most notable this quarter is the continued increase in the use of compromised email accounts. From January through
March 2019, 27% of all identity-deception attacks were launched from the compromised email account of a trusted individual or brand.
That’s up from 20% in just three months, making this the second-most frequent type of identity-deception technique.
Legitimate email accounts that have been taken over by scammers can be a crushingly effective way to distribute phishing emails because
they are, in a sense, trusted—allowing them to bypass mail filters more easily. The impact of this attack type cannot be overstated.
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Attacks launched from compromised email accounts are by far the hardest to detect and disrupt, making them a serious vulnerability for
the account’s legitimate owner and the companies involved. Indeed, a successful account takeover does not just give fraudsters the ability
to impersonate the account’s owner. It also gives them access to the individual’s contacts, ongoing email conversations, and historical email
archives—making it possible to craft new scams made all the more galling by their extraordinary personalization and crushing effectiveness.
Meanwhile, the remaining 20% of identity-deception emails use look-alike domains to send malicious content. While some of these domains
can be simply spoofed and sent using basic mailing tools, many are actual domains registered by phishing threat actors.
Q2 2019
17C-Suite Phishing Trends
High-Value Executives See Rise in Identity Deception Attacks
Impersonating Individuals
During the first quarter of 2019, display name deception used to impersonate specific individuals was
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
used in 37% of all email attacks targeting senior executives, compared to just 19% in overall malicious
email campaigns.
The distribution of tactics used in phishing attacks diverges significantly from those used when targeting other employees. During the
first quarter, display name deception used to impersonate specific individuals, the least common tactic among malicious emails overall,
was used in the majority of phishing emails targeting the high-level executives. This dichotomy is driven by BEC scams that target CFOs
and other financial executives with malicious emails appearing to be sent from an executive like the CEO, making this one of the most
pernicious cyberthreats facing the enterprise.
Compromised account-based phishing scams,
15% which are the second-most common email attack
Look-alike Domain method overall, are rarely used when targeting
From: LinkedIn
To: Jan Bird 36% senior executives, representing just 12% of attacks
Subject: Diana has endorsed you!
Display Name Deception (Brand) in the first quarter of 2019.
Identity From: Chase Support
Deception To: Tom Frost
Attacks Subject: Account Disabled
by Attack Category
12%
Compromised Account
From: Raymond Lim
Q2 2019
To: Cong Ho
Subject: PO 382313
37%
Display Name Deception (Individual)
From: Patrick Peterson
To: Cong Ho
Subject: Follow up on Invoice Payment
18
For more information on how cybercriminals target the C-level, see agari.com/londonblueBEC in the Spotlight
The Use of Free Accounts, Look-alike Domains, and Personalization
This past quarter, the Agari Cyber Intelligence Division took an in-depth look at the tactics used by
threat actors in BEC campaigns, one of the costliest forms of phishing attacks businesses face today.
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
67% of Attacks are Launched from Free Top Ten Email Providers Used to Send BEC Emails
Webmail Accounts
What makes today’s BEC campaigns so dangerous is that they Roadrunner 15.3% 1 6 Cox 2.0%
can exact eye-popping returns with very little effort or overhead. AOL 12.8% 2 7 Mailbox.org 1.3%
Because emails used in these attacks do not contain malicious links
or payloads, they easily bypass most common security controls in Gmail 10.4% 3 8 Earthlink 1.2%
use today.
Lycos 4.1% 4 9 Inbox.Iv 1.2%
And in the vast majority of cases, BEC attackers use free and Naver 2.1% 5 10 TWC 1.0%
temporary email accounts to launch their campaigns. In fact, our
data shows that two-thirds (67%) of BEC emails are sent from an
easily-acquired webmail account.
In the first quarter of this year, the most commonly used email
provider in these attacks was Roadrunner (rr.com), accounting for
15% of all BEC campaigns. AOL and Gmail ranked as the second and
third most commonly used webmail providers for creating accounts
used to send BEC phishing emails.
Q2 2019
19The Advantages of Look-alike Domains in BEC Scams
Twenty-eight percent of BEC campaigns in the first quarter were sent from email accounts hosted on a
domain registered by the attacker. While there is usually a cost associated with registering a domain, the
ability to create a more authentic-looking email address for use in attacks is worth the price for some.
Meanwhile, compromised email accounts belonging to other individuals or brands accounted for the
remaining 5% of BEC attacks.
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Regardless of the point of origin, the display name used in these attacks is almost always changed to
impersonate a senior executive at target organizations.
5%
Compromised
Most Common
Point-of-Origin 67%
for BEC Scams Webmail
28%
Registered
Q2 2019
20Top 10 Subject Lines for Business Email Compromise Scams
Curious what a business email compromise scam actually looks like? In most cases, the initial email in a
BEC attack is very brief and designed to elicit a response from a targeted recipient.
Similarly, the subject lines of BEC emails are frequently very generic, so as not to arouse suspicion. But
they nearly always contain specific keywords meant to generate urgency.
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
In fact, 1 in 4 BEC emails observed over the past three months contained one of three words in the
subject line: Quick, Request, or Urgent.
Top Ten Most Common Subject Lines
in BEC Emails (Q1 2019)
Request 7.6% 1 6 Payroll 2.1%
[FIRST NAME] 7.2% 2 7 quick task 2.1%
Task 3.7% 3 8 [FIRST/LAST NAME] 1.9%
Hello [FIRST NAME] 3.5% 4 9 Direct Deposit 1.7%
Hi [FIRST NAME] 2.5% 5 10 Available? 1.5%
Q2 2019
21A Growing Number of BEC Emails are Personalized
Today, 20% of BEC emails are personalized to include the name of the recipient in order to make them seem more
legitimate. Rather than receiving a completely generic message, referencing the target’s name serves to lower a
recipient’s defenses and lessen the likelihood they’ll recognize the scam.
Personalization also demonstrates the level of reconnaissance some cybercriminal organizations conduct prior to
launching their malicious campaigns.
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Instead of simply scraping email addresses from company websites, some BEC groups curate target lists of
specific financial executives for use in crafting these personalized messages.
Our previous research has shown that many BEC groups use legitimate commercial services to construct tailored
queries and collect comprehensive contact information for financial executives around the world.
20%
Personalized
Subject: Hello
Personalization vs. Hello
Non-Personalization I am planning a surprise for some of
in BEC Attacks the staffs with gift cards and your
confidentiality would be appreciated
in order not to ruin the surprise.
80% I need you to get some purchase
done, email me once you get this.
Non-Personalized
Vice President of Marketing at Agari
Subject: Hello
Sent from a Mobile Device
Hi
Q2 2019
Are you in your office? Send me
a quick reply if you are free.
Thanks
22Phishing Incident Response Trends
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Employees report an average
of 29,028 phishing incidents
to the security operations
center each year per
organization—a 25% increase
in just 90 days.
KEY FINDINGS
The average time it takes
to triage, investigate, and
remediate reported phishing
incidents jumped to 6.5 hours,
a 35% increase in one quarter.
Costs for the security
Q2 2019
operations center to triage,
investigate, and remediate
employee reported phishing
nearly doubled—exceeding
$8.1 million. 23Incident Response Trends
SOCs See Reported Phishing Attacks Jump 25%
In today’s threat environment, there is no possible way to completely remove the risk that an employee
will fall for a phishing email designed to defraud the company or steal sensitive information as part of a
data breach. During the first quarter of 2019, the time required for security operations centers (SOCs)
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
to respond to employee-reported phishing attacks spiked 32% in just 90 days.
For US-based companies, this matters—a lot. Today, the average cost of a breach is approaching $8 million, and the probability of falling
victim to a breach is now 14% per year, according to Ponemon Institute. And it’s getting worse, in part because of the very mechanism
businesses are putting in place to mitigate the issue.
The Unexpected Consequences of Employee-Reported Phishing Attacks
In addition to security awareness training and phishing simulations, the vast majority of businesses have provided employees with the
ability to report suspected phishing emails. It is critical to understand how to leverage this threat feed to discover and contain breaches
before data is exfiltrated.
All too often, employee-reported phishing emails end up flooding SOCs with more incidents to triage, investigate, and remediate than
they can handle. As a result, it has become critically important for businesses to find ways to streamline and automate these processes.
Otherwise, the time it takes to discover and resolve breaches will only grow longer—while valuable data, intellectual IP, and other important
business information is exfiltrated by cybercriminals.
Inside the ACID Phishing Incident Response Survey
Every quarter, ACID surveys SOC professionals at 280 organizations ranging in size from 1,000 employees to 209,000 employees in order to get a
Q2 2019
read on incident response issues. This quarter’s survey participants include 176 respondents based in the United States, and 84 in the United Kingdom.
The survey asks a series of questions regarding employee-reported phishing—including reporting mechanism, volume, false positive rate,
existing tools for phishing incident response, and time required to investigate phishing. This section of the Q2 2019 Email Fraud and Identity
Trends report highlights analysis of the responses to these questions. 24Employee Empowerment Evolves
Organizations Change Tactics for Employee Reporting
Ninety-five percent of this quarter’s survey respondents report employees in their organizations have the ability to report phishing attacks,
often via a convenient button and/or abuse inbox for forwarding suspicious messages to the security team.
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
While this is down 3% quarter-over-quarter, a growing number of organizations are adopting phishing simulations to test employees’ ability
to detect a phishing incident after participating in security awareness training. A full 92% of this quarter’s survey respondents report their
organizations use such simulations, up 4% from the previous quarter. In most cases, these simulations are implemented via an outside
vendor to provide an objective assessment of security vulnerabilities.
Training Employees to Report Phishing
5% 8%
No Ability to Report No
Ability to Phishing
Report Simulation
Phishing Adoption
Q2 2019
95% 92%
Ability to Report Phishing Yes
25Catching Phish
How Employees Report Suspected Attacks
Most companies offer multiple reporting methods, including filing a help desk trouble ticket, using the native email client phishing button, or
implementing a third-party client such as the KnowBe4 phishing button. But today, the most common mechanism available to employees
to report phishing is an abuse@company.com inbox.
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Whether the phishing incident is reported through an inbox or a phishing button, the phishing email itself is forwarded to some
combination of a security operations center or help desk support center, for investigation and remediation. In some cases, the mail platform
(Microsoft Office 365 or Gmail) or phishing simulation vendor also receives a copy of the reported phishing messages.
Employee Options to Report Phishing (Global)
70
63%
58%
60
50
45%
40 37%
30
20
Q2 2019
10
5%
0%
0
Forward to Contact Email Client Email Client No Ability Other
Abuse Email Help Desk (Native) (Third-Party to Report
Address Directly Vendor)
26Employee-Reported Incidents: Volume and Accuracy
With so much empowerment, training, and testing designed to help employees recognize and report phishing incidents, just how many
suspected attacks are reported? What about accuracy?
Based on the results to this quarter’s survey, respondents report roughly 29,028 phishing incidents per organization on an annual basis,
with a slightly lower number of phishing incidents in UK-based companies.
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Volume Per Organization of Phishing Incidents
Average Number of Reported Phishing Incidents
Distribution of Annual Reported Phishing Incidents (Global)
Per Organization Annually
30000 30%
30%
25000 25% 26%
20000 20%
20%
19%
15000 15%
10000 10%
5000 5% 6%
0 0%
US UK Global 60000
Q1 Q2
Q2 2019
In all, 56% of respondents reported a number of phishing incidents ranging from 12,000 to 36,000 per year.
27Employee-Reported Incidents: False Positive Rate Rises 10%
The emails employee report are not always true phishing incidents. Security training often encourages users to report any suspicious email.
As a result, spam, unwanted marketing emails, as well as legitimate email messages are often reported as phishing—even when they are
not. In the first quarter of 2019, the false positive rate for employee-reported phishing incidents climbed 10% on a global basis. In the United
States, the rate rose from 49% to 56%, while the United Kingdom saw a 3% decline over ninety days.
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Employee-Reported Phishing False Positive Rate
Employee Reported Phishing False Positive Rate
60%
30%
55% 56%
50% 26% 52%
40%
30%
20%
10%
0%
Global US UK
Q2 2019
28Time Required for Triage, Investigation, Forensics, and Remediation
Reports Alerts Incidents
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Phish Reporting SOC Triage Forensic Analysis
Forensic Incident
Incident Remediation
Remediation
Employees
Employeesreport
report SOC
SOChandles
handlesreports,
reports, SOC Analyst
SOC Analyst SOCSOC
works withwith
works
suspect
suspect message
message using
using filtering out
filtering obvious
out obvious determines levellevel
determines Messaging
Messagingtotoaddress
address
phish phish
buttonbutton false false
positives
positives of impact
of impact incidents
incidents
PROBLEM: PROBLEM: PROBLEM: PROBLEM:
Employee reports are The tools & workflow Understanding level of Remediation often
Eachnoisy and phishing
quarter’s survey participants are for managing
asked: these
For employee impact
phishing reports, how involves usingon average doesinvolves
much time it take amultiple
SOC analyst to
training makes the reports are crude and lots of cutting &
triage, investigate, and remediate?” both in terms of true phishing incidents and false positive reports. groups and there isn’t
problem worse for inefficient—often just pasting across multiple effective data sharing
the SOC an Outlook mailbox forensic tools between them
40 ©2019 Agari Data, Inc. All rights reserved. Confidential and Proprietary.
Q2 2019
29Response Times Climbing Fast
On a global basis, the overall average across all phishing incidents is now 6.5 hours to triage, investigate, and remediate. That number is up
32% from 4.9 hours in the course of ninety days. In the United States, the rate is up 1.86 hours, while in the United Kingdom, the rate is up
by nearly a full hour.
On average, SOC analysts now spend 5.58 hours triaging a false positive, compared to 3.96 hours in the previous quarter. And they spend
an average 6.64 hours triaging, investigating, and remediating a valid phish—an increase of .76 hours during the same time period.
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Average Time per Phishing Incident to Triage. Investigate, and Remediate
Average Time Per Phishing Incident to Triage, Investigate, and Remediate
8
7
7.20
6.64
6
True Phish
5.78
5 5.58 5.45
5.16
False Positive
Hours
4
3
2
1
0
Global US UK
The triage process generally involves a quick investigation of the sender domain and address, included links, and attachments to determine
Q2 2019
if the message is potentially malicious. This process is often manual, requires multiple third-party tools, and involves the judgement of the
analyst—something that is not always 100% reliable.
30SOC Staffing Snapshot
Headcount Needs Nearly Double in 90 Days
In the face of this continuous barrage of phishing incidents, the Average Avg.
Number
Number of SOC
of SOC Analysts
Analysts Employed
Employed
average number of SOC analysts per organization hit 14.6 in the first
quarter of 2019—up from 12.5 quarter-on-quarter. 20
30%
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
55%
More than 90% of organizations report having at least one
dedicated SOC analyst. Not surprisingly, the analysis showed a 15 15.9
14.6
strong correlation between company size, the number of phishing
# of Analysts
incidents, and the number of SOC employees. 12.0
10
For example, 41% of organizations with more than 10,000 employees
have 20 or more SOC analysts. The same is true of organizations
with 60,000 or more phishing incidents per year. 5
The Q2 Staffing Gap
0
Based on the average number of phishing incidents and the average Global US UK
time to remediation (6.5 hours), the average SOC needs 90 analysts
to handle the number of phishing incidents per company. Given that
the average number of SOC analysts in our survey is 14.6, there is
a widening staffing gap of at least 76 full-time equivalents (FTEs).
This gap currently results in organizations failing to detect phishing
incidents, which opens each organization to the possibility of
breaches or fraud.
Q2 2019
31Data Breach Economics
Risk Reductions from Automation
Today, the entry point for 96% of all data breaches is well-targeted email, according to the 2018 Verizon Data Breach Investigations Report
(DBIR). The average cost of a data breach in the United States is now $7.9 million, and organizations face an average 14% probability of
suffering a breach within the next year, according to Ponemon Institute. If you multiply the average breach cost of $7.9 million by the
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
probability of 14%, the annual breach risk is $1.1 million.
60%
40%
Discovery
20% Exfiltration
0%
Seconds Minutes Hours Days Weeks Months Years
Source: 2018 Verizon DBIR
Meanwhile, the Verizon DBIR finds that the average data breach results in exfiltration of data within minutes or hours—while the average
time-to-discovery takes months. This is likely a symptom of understaffed and inefficient SOC processes for handling phishing incidents.
Ideally, SOC analysts would be able to triage, investigate, and remediate reported phishing incidents within minutes, enabling the business
to remediate the compromise and contain the breach.
Q2 2019
32Q2 Automation Index
As part of our quarterly phishing incident response survey, we asked respondents how much reducing the response time required for
phishing incident response would reduce their breach risk. Overall, this quarter’s respondents felt their business could reduce breach risk by
an average 51% by automating the process of phishing incident response.
In the United States, that figure rose 2% from the previous quarter, to an average 53% reduction in breach risk, while in the United Kingdom,
estimates dropped 3% during the same period, to an average 45% reduction.
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
On a global basis, a 51% reduction in breach risk would result in a $561,025 decrease in annual breach risk for the average business.
Risk Reduction Due to Automated
Phishing
Risk Reduction Due to Incident Response
Automated Phishing Incident Response
60%
30%
50% 26% 53%
51%
45%
40%
30%
20%
10%
0%
Q2 2019
Global US UK
33Totaling It Up
The Cost of Manual Response vs. the Savings from Automation
Based on the data captured in this quarter’s phishing incident response survey, it’s possible to establish the variables needed to estimate
the cost of manually handling phishing incidents, average breach risk, and the potential cost savings of automating the process.
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
6.5 Hours per Phishing Incident x 29,000 Incidents = 188,500 Hours of SOC Analyst Time
SOC ANALYST
COSTS
188,500 Hours ÷ 2080 FTE Hours per Year = 90 FTEs
90 FTEs x $90,000 per FTE = $8.1M
SOC ANALYST
SAVINGS
$8.1M – 90% SOC Time Savings = $7.29M Savings
BREACH RISK $7.9M Average Breach Loss x 14% Probability of Breach = $1.1 M Breach Risk
REDUCTION $1.1 M Breach Risk – 51% Risk Reduction = $561,000 Breach Risk Reduction
TOTAL
SAVINGS
$7.29M SOC Analyst Time Savings + $561,000 Breach Risk Reduction = $7.85M Total Savings
To calculate a custom ROI for your organization, visit agari.com/roi
Using averages for all variables, the detailed calculations above show a total annual cost to the SOC of $8.1 million and an average annual
breach risk of $1.1 million—for a total cost $9.2 million per company. By implementing automated phishing incident response processes that
Q2 2019
reduce the time to triage, investigate, and remediate phishing incidents by 90%, and the time to discover and remediate data breaches by
up to 51%, organizations could save $7.29 million in SOC costs and $561,000 in breach risk—for a total savings of $7.85 million.
34Customer Phishing and DMARC Trends
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
By the end of March, ACID
identified 6.75 million
domains with valid DMARC
records, up roughly 1%
KEY FINDINGS
quarter-over-quarter.
Germany is the #1 region
responsible for raw domains
with DMARC records, though
the United States took the
top prize for the percentage
of domains at a reject policy.
Q2 2019
Only 25% of domains are
configured to send email, with
DMARC settings on the vast
majority set to monitor-only. 35DMARC Adoption Snapshot
The Industry’s Largest Ongoing Study of Adoption Rates Worldwide
Domain-based Message Authentication, Reporting and Conformance (DMARC) is an open standard email
authentication protocol that helps businesses protect their brands and domains from being used to send
fraudulent phishing emails. In a snapshot of more than 328 million Internet domains—the largest of any
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
industry survey—we break down the state of DMARC implementation worldwide from January 1 through
March 31, 2019.
Take Control of Your Domains Domains with DMARC Policies
DMARC gives brands control over who is allowed to send emails on
their behalf. It enables email receiver systems to recognize when an 8,000,000
email isn’t coming from a specific brand’s approved domains, and
gives the brand the ability to tell the email receiver systems what to 7,000,000
do with those unauthenticated email messages.
6,000,000
Failing to implement DMARC at p=reject results in an easily identifiable
5,000,000
vulnerability. Cybercriminals often spoof domains in order to send
large volumes of phishing attacks targeting the domain owner’s
4,000,000
customers and partners. The ripple effect can be significant.
The domain may suffer reputational damage, resulting in being 3,000,000
blacklisted by some receiver infrastructures, or experience reduced
deliverability rates for legitimate email, hurting email-based revenue 2,000,000
streams. The effects may first show up in complaints that outgoing
Q2 2019
emails aren’t reaching recipients, often bouncing or being filtered by 1,000,000
spam filters.
0
Aug 2017 Sept 2018 Dec 2018 Mar 2019
For more information on DMARC and the benefits of adoption, visit agari.com/dmarc-guide Monitor (p=none) Quarantine Block (p=reject)
36Brands looking to deploy DMARC are advised to start with DMARC p=none and work up to p=reject through a well-defined DMARC
implementation plan. When enforcement policies are set properly, DMARC has been shown to drive down phishing rates impersonating
brands to near zero.
The Picture Grows Sharper
By crawling the entire public Internet domain space representing over 328 million domains, ACID was able to generate its latest snapshot
of DMARC implementation rates worldwide from January through March 2019. Overall, there was continued growth in the DMARC adoption
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
rate, but at a much slower pace than the previous quarter.
Q2 2019
37Q2 Scorecard
Vendors and DMARC Service Providers
Each quarter, we assess how vendors and DMARC service providers are helping organizations use
DMARC to protect their domains from email impersonation scams. The size of our dataset offers an
unprecedented view into the number of domains for which vendors have established DMARC records,
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
as well as how many of those records have been set to the highest enforcement level of p=reject. This
combination of data points offers a snapshot of market share and success rates for each of these vendors.
How the Scorecard Works
As a shorthand to determining a market share figure, we tabulated the number of times specific, well-known DMARC implementation
vendors were specified as a recipient of reporting feedback via DMARC. The “rua” field that accepts an email address to receive aggregate
DMARC data reports is a good proxy for this calculation. With this email address, the DMARC vendor typically accepts, parses, and
visualizes the data on behalf of the customer. We included active vendors with more than 1,000 domains reported.
Q2 Vendor Rankings by Total Share of Domains and Percentage of Domains with Reject Policies
The chart shown on the next page provides a basic ranking of top vendors, corresponding to the number of domains that specify that
particular vendor in the “rua” field. We then apply a second filter indicating the all-important percentage of domains at the highest possible
DMARC enforcement policy setting of p=reject for each vendor, which is the policy level that will block phishing messages.
Quarter-over-quarter, there was some movement in overall vendor rankings, with slight improvements for some second tier vendors in
terms of the total percentage of domains with DMARC set at its top enforcement level.
Q2 2019
38Assessing Vendor Attributes
THE SWEET SPOT: Category-leading vendors achieve that perfect combination of a large number of domains serviced across a wide
range of industries matched with high levels of top enforcement policy implementation. Finding a company that has high marks in both is
essential for those organizations looking to see success with DMARC implementation.
HIGHER QUANTITIES CAN SEE LOWER ENFORCEMENT: The “Goldilocks” ratio can be harder to achieve for mid-tier vendors, which
tend to struggle with the ratio of domains they service and what percentage of those records they succeed at converting to the highest
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
enforcement policies. Category leaders with high numbers of enterprise clients can face this challenge as well, as it is harder to have more
enterprise domains set to reject.
QUALITY VARIES WILDLY: About 315,000 of the domains that deployed DMARC are using a recognized DMARC provider, and about 6
million domains have DMARC deployed without using a major DMARC service provider. When selecting a vendor, enterprises with hundreds
or thousands of domains should consider vendors that have both high numbers of domains and a high-percentage enforcement rate in
order to better ensure success.
DMARC
DMARCPolicy Observations
Policy Observances OverOver Q1 2019
Q2 2019
150000 100%
90%
120000 80%
Domains Managed
# Domains Managed
70%
% Reject Policy
Domains w/ Reject Policy
90000 60%
50%
60000 40%
30%
Q2 2019
30000 20%
10%
0 0%
r
ks
ze
p
an
ox
nt
l
ok
or
Agari
p
ai
ly
oi
ka
ci
lb
iM
w
0
na
fp
ar
o
25
ar
et
l
Va
A
To
oo
m
39
m
N
C
X
D
st
Pr
a
R
M
ud
Po
A
M
c
ra
D
ar
BDMARC Adoption By Geography
As a new feature to the quarterly trends report, ACID is looking at the state of DMARC adoption
by key geographies. As measured by domains for which a country code can be validated, this data
encompasses roughly 50% of our total pool of analyzed domains worldwide.
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Germany Ahead in DMARC Records, United States in Enforcement
According to our analysis, Germany leads all survey geographies in registered domains with established DMARC records, accounting for
nearly a sixth of the world’s DMARC records overall, and the vast majority of domains for which a country code can be correlated.
Predictably, given the total volume,
Top DMARC Overall Top 5 P Value = None
Germany also ranks highest in established
1,200,000
DMARC records at the default monitor- DE
only setting. As mentioned earlier, this US
could reflect a high number of domains 1,000,000 NL
that are automatically assigned DMARC FR
records by registrars, even when a large 800,000 ES
percentage of those domains may never 0 1M 2M 3M 4M
be used to send email. 600,000
Top 5 P Value = Reject
Data for the United States paints a 400,000
US
different picture. While it ranks a distant NL
second in the total number of country- DE
200,000
coded domains assigned DMARC records, IE
it is number one in DMARC records with an GB
Q2 2019
established p=reject enforcement policy. 0
DE US NL ES FR GB RU IE TR PL 0 100K 200K 300K 400K 500K
According to industry studies, the United
States is the most heavily-targeted nation
by cybercriminals, which may help to
explain this discrepancy.
40Prominent Trends Across Top Companies
Our quarterly assessment of publicly available adoption data for the Fortune 500, Financial Times
Stock Exchange 100 (FTSE 100), and Australian Securities Exchange 100 (ASX 100), highlighting trends
among prominent organizations across geographies.
AGARI | EMAIL FRAUD & IDENTITY DECEPTION TRENDS
Fortune 500
The Fortune 500 is an annual list compiled and published by Fortune magazine that ranks 500 of the largest United States corporations
by total revenue for their respective fiscal years. The list includes publicly held companies, along with privately held companies for which
revenues are publicly available. It is a good indicator for how security is trending amongst large companies.
During the first quarter of the year, DMARC adoption remained
Fortune 500 DMARC Adoption
tepid, with the largest corporations continuing to implement
email authentication at a measured pace. Even for those that have 3% 7% 10% 11%
100
assigned DMARC records to their domains, the sizable proportion
Reject
of “no record” and “monitor-only” policies dramatically increases
the likelihood of the organization being impersonated in phishing 80 Quarantine
campaigns targeting their customers and other consumers and 23%
businesses. But there has been progress.
60
33% None
DMARC Adoption – Just over 40% of the Fortune 500 with DMARC
records assigned to domains have yet to publish an enforcement 39% No Record
42%
policy. Nonetheless, this is up nearly 5% from December 2018. 40
Quarantine Policy – Over 5% have implemented a quarantine policy
Q2 2019
to send phishing emails to the spam folder, in line with the previous 20
quarter.
73% 59% 46% 42%
Reject Policy – Just over 1 in 10 have implemented a reject policy to 0
Aug 2017 Sept 2018 Dec 2018 Mar 2019
block phishing attempts impersonating their brands. While relatively
low, that’s up roughly 8% from December 2018. 41You can also read
