Email Fraud Continues to Expand its Footprint in Q3 2017

November 11, 2017
Ryan Terry

Email fraud, or business email compromise, is a growing threat that impacts organizations of all shapes and sizes.  These highly targeted email attacks that spoof trusted executives or partners, often don’t include a payload - such as a malicious URL or attachment - helping them evade traditional security technologies to reach people within organizations.  Due to the rise of these attacks and the reported losses to organizations around the world, Proofpoint conducted extensive research for Q3 2017 across thousands of our enterprise customers to better understand the impact, trends, and tactics around email fraud.

Organizations are targeted more often and on more fronts

In Q3, the number of email fraud threats rose and the average number of attempts with which an organization was targeted increased 12% over the previous quarter.  While companies of all sizes and in all geographic locations are targeted by email fraud, we continue to see that organizations with more complex supply chains (such as manufacturing) and those that rely more heavily on technology are targeted more often.  The data also demonstrates that attackers are expanding their reach within companies to target people of varying levels and across broader business units.  The average number of people targeted per organization grew 28% in Q3.  Only 15% of organizations have just one person targeted by email fraud – down from 17% in the previous quarter.  Wire fraud continues to be the scam of choice as nearly one in every three (29%) email fraud message includes some variation of “payment” in the subject line.

89% of organizations were targeted by at least one domain spoofing attack

Domain spoofing, where a message looks like it’s coming from within the organization (ex: acme.com), continues to make up a major portion of all email fraud messages and these types of attacks grew about 5% in Q3.  The good news is that domain spoofing attacks are preventable by deploying DMARC (Domain-based Message Authentication Reporting & Conformance) authentication.  In fact, the Department of Homeland Security recently mandated that all civilian federal agencies must deploy DMARC in an effort to protect people from email spoofing attacks.  At the time of this mandate, nearly one in every eight emails sent from a federal agency was fraudulent and only 17% of the agencies under this directive have deployed both SPF and DMARC.

Lookalike Domain techniques uncovered

Cybercriminals also register lookalike domains in an effort to perpetuate fraud.  Swapping characters is the most common technique used, making up about 41% of all lookalike domains.  Examples of character swapping include switching an “I” for a lowercase “L” – which is the most popular form, a “U” for a “V”, an “O” for a “0”, and so on.  Fraudsters will also insert an additional character into the domain name to make the email appear to be sent from legitimate entity.  This lookalike domain technique occurred almost 31% of the time in Q3.    

Proofpoint has a comprehensive solution to fight email fraud

Email fraud continues to expand its reach and attackers continue to shift in their approach.  Proofpoint helps organizations stop all forms of email fraud with a comprehensive multi-layered solution.

To learn more about the email fraud landscape, read the full quarterly threat update here: www.proofpoint.com/us/resources/threat-reports/quarterly-email-fraud-report

For more information about how to stop impostor email attacks before they reach the inbox, please visit: www.proofpoint.com/us/solutions/email-fraud