Email fraud, or business email compromise, is a growing threat that impacts organisations of all shapes and sizes. These highly targeted email attacks that spoof trusted executives or partners, often don’t include a payload – such as a malicious URL or attachment – helping them evade traditional security technologies to reach people within organisations. Due to the rise of these attacks and the reported losses to organisations around the world, Proofpoint conducted extensive research for Q3 2017 across thousands of our enterprise customers to better understand the impact, trends, and tactics around email fraud.
Organisations are targeted more often and on more fronts
In Q3, the number of email fraud threats rose and the average number of attempts with which an organisation was targeted increased 12% over the previous quarter. While companies of all sizes and in all geographic locations are targeted by email fraud, we continue to see that organisations with more complex supply chains (such as manufacturing) and those that rely more heavily on technology are targeted more often. The data also demonstrates that attackers are expanding their reach within companies to target people of varying levels and across broader business units. The average number of people targeted per organisation grew 28% in Q3. Only 15% of organisations have just one person targeted by email fraud – down from 17% in the previous quarter. Wire fraud continues to be the scam of choice as nearly one in every three (29%) email fraud message includes some variation of “payment” in the subject line.
89% of organisations were targeted by at least one domain spoofing attack
Domain spoofing, where a message looks like it’s coming from within the organisation (ex: acme.com), continues to make up a major portion of all email fraud messages and these types of attacks grew about 5% in Q3. The good news is that domain spoofing attacks are preventable by deploying DMARC (Domain-based Message Authentication Reporting & Conformance) authentication. In fact, the Department of Homeland Security recently mandated that all civilian federal agencies must deploy DMARC in an effort to protect people from email spoofing attacks. At the time of this mandate, nearly one in every eight emails sent from a federal agency was fraudulent and only 17% of the agencies under this directive have deployed both SPF and DMARC.
Lookalike Domain techniques uncovered
Cybercriminals also register lookalike domains in an effort to perpetuate fraud. Swapping characters is the most common technique used, making up about 41% of all lookalike domains. Examples of character swapping include switching an “I” for a lowercase “L” – which is the most popular form, a “U” for a “V”, an “O” for a “0”, and so on. Fraudsters will also insert an additional character into the domain name to make the email appear to be sent from legitimate entity. This lookalike domain technique occurred almost 31% of the time in Q3.
Recommendations
Despite large commitments to security, email fraud is on the rise. Cyber criminals are becoming more advanced. They are successfully evading traditional security solutions, leaving your people as the last line of defence. Email fraud tactics and approaches are always changing. That’s why you need a multi-layered defence that includes:
- DMARC email authentication. Block all impostor email attacks that spoof trusted domains.
- Dynamic classification. Analyse the content and context of the email and stop display-name and lookalike domain spoofing at the email gateway.
- Data loss prevention. Prevents sensitive information, such as W2s, from leaving your environment.
- Lookalike domain discovery. Identify and flag potential risky domains outside of your control.
