Our quarterly analysis finds that business email compromise and brand impersonation scams continue to evolve at a relentless pace, and could even put major US presidential candidates at risk.

Download the report for our latest statistics, including:

  • Nearly 30% of BEC attacks now originate from compromised accounts
  • Employee-reported phishing attacks reaching SOCs surge 25%
  • DMARC adoption rises, but 90% of the Fortune 500 are still unprotected
  • Over 90% of current presidential candidates remain unprotected against email threats


Executive Summary

Quarterly analysis from the Agari Cyber Intelligence Division (ACID) finds business email compromise (BEC), spear phishing, consumer-targeted brand impersonation scams, and other advanced email threats continue to evolve at a relentless pace, and could even put major US presidential candidates at risk from attacks targeting their staff and their voters as the 2020 election cycle ramps up.

Email Hacking: 2016 Redux, or Something Far Worse?

Despite lessons learned from the hacking of Clinton campaign chairman John Podesta’s email account and subsequent release of sensitive emails on WikiLeaks, little progress has been made since the 2016 US presidential election. As the 2020 election cycle revs up, campaigns are still struggling with email security, primarily because few of the current and most prominent candidates have dedicated staff or resources to implement effective defenses. In fact, over 90% of the current presidential contenders rely on the easily-bypassed security controls built into their email platforms—almost exclusively Google Suite and Microsoft. While these controls offer basic defenses, they won’t protect against the kind of advanced email attacks likely to target campaign staff.

And that’s not the only kind of email threat candidates should fear. As of April 29, ACID analysis of domain data indicates only one of the leading candidates polling over 1%—Massachusetts Senator Elizabeth Warren (D)—has a DMARC record established for their domains with a policy that would prevent the campaign or the candidate from being impersonated in emails targeting donors, voters, and others. Given the stunning success of phishing and disinformation operations during the 2016 election cycle, 2020 is surely in the crosshairs of world-class hackers, especially as more than 90% of the leading candidates remain wide open to attack.

Nearly 30% of BEC Attacks Now Originate from Compromised Email Accounts

ACID analysis finds continued volatility in the identity deception tactics used by cybercriminal organizations behind a growing number of BEC scams. The percentage of all phishing attacks employing identity-deception tactics that use a display name intended to impersonate a trusted individual or brand has dropped to 53%, but most troubling has been the steady increase in the use of compromised email accounts. From January through March 2019, 27% of all identity-deception attacks were launched from compromised accounts. That’s an increase of nearly 30% in just 90 days, making this the second-most prevalent form of identity deception technique. Because phishing attacks launched from compromised accounts are by far the hardest to detect and disrupt, they are especially effective at defrauding the rightful owners of the account—as well as targeted businesses.

Employee-Reported Phishing Attacks Reaching SOCs Surge 25%

According to the Q2 ACID Phishing Incident Response Survey of 176 SOC professionals at 325 organizations with 1,000+ employees, the number of employee reported phishing attacks climbed 25% in the past quarter—increasing the total volume of incidents corporate security operations centers (SOCs) must remediate to an average of more than 29,000 annually. During this same period, the time needed to triage, investigate, and remediate each incident rose to an average of 6.5 hours. While the number of SOC analysts increased to 14, the gap between the number of analysts needed (90) and the actual number of analysts widened.

DMARC Adoption Rises a Tepid 1% While 90% of Fortune 500 Remains Unprotected

By the end of March 2019, ACID identified 6.75 million domains with valid DMARC records out of 328 million total domains examined as part of the industry’s largest ongoing study of DMARC adoption worldwide. Germany ranks first in raw domains with established DMARC records, though the United States maintains the highest percentage of domains with DMARC records with a reject policy. Overall, domains with DMARC records rose 1%, with the rate of growth rising at a much slower pace than the previous quarter. This leaves the vast majority of the world’s most prominent companies vulnerable to email-based impersonation attacks targeting their customers, partners, and other businesses—including nearly 90% of the Fortune 500.

Inside this Report

In this quarterly report, we examine trends in phishing and email fraud perpetrated against businesses and their customers.

For the first time ever, we also begin tracking both Domain-based Message Authentication, Reporting and Conformance (DMARC) and Advanced Threat Protection adoption among presidential candidates seeking their parties’ nominations heading into next year’s 2020 US elections. This report includes a look at which campaigns may be most vulnerable to email-based impersonation scams that can damage candidates’ reputations, operational effectiveness, fundraising efforts, and even national security.

Also included are the results from our quarterly survey on the impact of phishing incident response in the enterprise, and the burden and cost for a security operations center (SOC) team to respond to employee-reported emails. The statistics presented here reflect information captured from the following sources from January through March 2019:

  • Analysis of 2020 Presidential campaign email vulnerability based on DNS and MX record information
  • Data extracted from the 300 million+ daily model updates by the Agari Identity Graph™
  • DMARC-carrying domains identified within the 328 million+ domains crawled
  • Insights captured from a phishing incident survey of more than 250 cybersecurity professionals

The Agari Cyber Intelligence Division (ACID) is the only counterintelligence research team dedicated to worldwide BEC and spear phishing investigation. ACID supports Agari’s mission of protecting communications so that humanity prevails over evil. The ACID team uncovers identity deception tactics, criminal group dynamics, and relevant trends in advanced email threats. Created by Agari in 2018, ACID helps to impact the cyber threat ecosystem and mitigate cybercrime activity by working with law enforcement and other trusted partners.

Close button
Mail Letter

Would you like the confidence to trust your inbox?