Security Experts:

Threat From Spoofed Emails Grows, While DMARC Implementation Lags

Email remains the biggest single cyber threat to business. Phishing can introduce malware either directly or later via stolen credentials, while BEC scam emails can lead to direct financial loss.

Phishing has two costs. The most obvious is compromise-related, such as January's $240,000 ransom payment by the University of Maastricht following a successful phishing attack (which doesn't include associated clean-up costs). The second is the cost of handling and mitigating incoming phishing emails.

"People tend to snicker, when they hear about email scams because they immediately think of the old Prince of Nigeria schemes," comments Patrick Peterson, founder and CEO at Agari. "But those schemes have matured into sophisticated, socially-engineered attacks that equate to billions of dollars in reported fraud loss. Phishing scams are a gateway to money-laundering crimes. So, for the biggest companies in the world to overlook basic cybersecurity measures, like email authentication or automation, is baffling."

Agari's Cyber Intelligence Division (ACID), which concentrates on email threat investigations, has found (PDF) that 60% of employee-reported suspect emails are false positives. Nevertheless, each report must be triaged and investigated by the security team, which must spend time investigating something that is statistically likely to be benign, rather than investigating more certain threats. The second cost associated with fraudulent emails -- the cost of mitigating them -- is at the cost of other security tasks.

The figures come from ACID's direct engagement with threat actors, from its analysis of trillions of emails, and from conversations with SOC professionals in six large companies.

Business email comprise (BEC) continues to grow. The latest FBI IC3 report, says, "In 2019, IC3 recorded 23,775 complaints about BEC, which resulted in more than $1.7 billion in losses." Agari's figures flesh this out. Gift card scams, where the fraudulent email seeks to persuade a company employee to purchase gift cards ostensibly for other members of staff or business contacts, are the preferred attack. 

"During the last three months of 2019, gift cards were requested in 62% of all BEC scams, compared to 56% during the previous quarter," notes the report. The increase is not surprising during the winter holiday season, but seems to part of a continuing trend. Wire transfer scams also increased from 19% to 22%, while payroll diversion scams fell from around 25% to 16%.

There is another shift within the fraudulent emails. Criminals are increasingly impersonating individuals rather than brands. Thirty-six percent of all phishing attacks impersonate a well-known brand, but this is down 6% on the previous quarter. During the same period, emails impersonating individuals grew from 12% to 31%. The reason is probably simple: an email from a real, possibly known, person will be far more compelling than an 'unsigned' anonymous email.

Agari also notes the growing incidence of what it calls 'vendor email compromise', or VEC. Attackers "are now infiltrating email accounts within one organization to attack organizations throughout its entire supply chain ecosystem," says Agari. The crime group known as Ancient Tortoise, for example, attempts to compromise aging reports from accounts payable teams and then launch attacks on the company's entire customer base using fraudulent invoices or requests for changes to payment details.

The best solution to fraudulent email attacks would be universal adoption of the two standards, DMARC and BIMI. Use of the Domain-based Message Authentication, Reporting, and Conformance (DMARC) standard is increasing but only defends a tiny proportion of the overall internet. "DMARC," explains Agari, "enables email receiver systems to recognize when an email isn't coming from a specific brand's approved domains, and gives the brand the ability to tell email receiver systems what to do with these unauthorized email messages."

DMARC can be installed in any one of three modes: monitor only, quarantine, and reject. Only the reject mode is secure; the quarantine mode is better than nothing but does not guarantee that the target will not see the email; and monitor only is no different to having no DMARC. To put this in context, the number of Fortune 500 companies with a DMARC record assigned to any of their domains has risen from 61% to 66%. However, 44% have DMARC set to no enforcement, and 7% have enforcement set to quarantine. Only 15% have DMARC properly enforced to reject emails that falsely claim to come from one of their domains. Eighty-five percent of Fortune 500 companies are not using DMARC to protect themselves and their customers from fraudulent emails.

Brand Indicators for Message Identification (BIMI) is less a standard per se than a standardized way by which companies can associate their brand, visibly, with genuine emails. BIMI adoption, says Agari, has increased tenfold since March 2019. It allows companies to display their logos next to emails that have already been verified by DMARC, providing immediately recognizable proof that the email is safe. This helps the consumer, but also helps promotes brand awareness of the company concerned.

The email threat is so longstanding and pervasive that it seems to have become part of the landscape. While large organizations can deploy expensive and sophisticated solutions to protect themselves from fraudulent incoming emails, DMARC remains the best solution to protect their customers from phishing attempts that use their brand name to add trust.

Related: Agari Employs Active Defense to Probe Nigerian Email Scammers 

Related: Presidential Candidates' Use of DMARC Improves, Yet Short of Optimum 

Related: Inside the Operations of a West African Cybercrime Group 

Related: 2020 U.S. Presidential Candidates Vulnerable to Email Attacks

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.