Account takeover-based (ATO) attacks now comprise 20 percent of advanced email attacks, according to Agari’s Q1 2019 Email Fraud & Identity Deception Trends report. ATO attacks are dangerous because they are more difficult to detect than traditional attacks – compromised accounts seem legitimate to email filters and end users alike because they are sent from a real sender’s email account.

“Credential phishing was already a huge risk for organizations because of the potential for data breach, but now there is a new wave of account takeover attacks leveraging compromised accounts to commit additional fraud, which evade traditional email security controls,” said Crane Hassold, Sr. Director of Threat Research, Agari. “Business email compromise attacks are still very active, especially against C-suite targets.”

Advanced email attacks

Brand impersonation remains the most common attack vector, used in 50 percent of advanced email attacks in the fourth quarter of 2018—with Microsoft impersonated in 70 percent of these instances. Microsoft is a common target for credential phishing because Office 365 accounts can be used in subsequent ATO attacks.

A different pattern emerges for executive targets: one-third (33 percent) of advanced email attacks against C-level employees use display name deception that impersonates an individual—a common tactic for business email compromise (BEC) attacks, which frequently target CFOs.

Impersonation of the U.S. Internal Revenue Service surged in the fourth quarter as tax season approached. The IRS was impersonated in nearly one in ten attacks, up from less than one percent in the July-to-September quarter. W-2 scams are common in the runup to tax season, as criminals use phishing emails and social engineering to request a corporation’s W-2 files, which contain social security numbers, salaries and other confidential data that can be used to commit tax fraud or identity theft.

DMARC adoption

Adoption of DMARC, an email authentication standard, grew steadily during Q4 with a 15% increase in total DMARC records compared to Q3 ‘18. As the number of valid Internet domains has increased from 283 million to 323 million during this Q1 report, DMARC adoption among these domains increased from 5.3 million to 6.1 million.

Among the Fortune 500, DMARC adoption was only 54 percent, up from 51 percent three months ago.

The impact of phishing incident response

In a survey of more than 300 businesses in the U.S. and U.K., Agari determined that employees at the average company report 23,053 phishing incident reports per year—yet 50 percent are false positive reports. Responding to a phishing incident takes an average of 353 minutes (almost six hours); and even false positives take an average of 238 minutes (four hours).

All of these reports and hours add up—at a cost of $253 per phishing incident—or more than $4.3 million per year in SOC costs to required to triage, investigate and remediate phishing incidents.

“Many organizations’ security operations teams report that their work around investigating suspected phishing emails is heavily repetitive and requires many meticulous steps, such as checking multiple blacklists and different IT systems within the company,” reports Gartner Research VP and Distinguished Analyst Anton Chuvakin and VP Analyst Augusto Barros in Preparing Your Security Operations for Orchestration and Automation Tools, in February 2018.