Email Fraud: Why one of the World’s Oldest Email Threats Continues to Be Very Successful

April 17, 2018
Ryan Terry

Why is email fraud—one of the oldest and most commonly known scams, where a fraudster spoofs a trusted identity in an effort to steal money or valuable information—still so pervasive today? You have likely heard of one of these email tricks that seem too unrealistic to be true and thought to yourself, “How could anyone fall for this?"

Yet, email fraud—or business email compromise (BEC)—attacks are currently stealing billions of dollars from organizations around the world, and the frequency with which companies are being targeted continues to skyrocket. 

In a recent survey commissioned by Proofpoint, 75% of organizations said they were targeted at least once by email fraud over the last two years and 41% indicated being targeted multiple times. And these numbers are getting worse, not better. Proofpoint’s latest email fraud report shows that the number of companies targeted by at least one email fraud attack steadily rose in 2017, reaching a new high of 88.8% in Q4 2017.

Cybercriminals have figured out that tricking people, rather than technologies, is an approach that can yield high rewards. And despite the fact that organizations are implementing internal training and new protocols aimed at protecting employees, people continue to fall for email scams. There are several factors that go into why email fraud is still very successful, but here are two fundamental reasons organizations haven’t solved this problem yet:

1. Attackers are targeting a wide range of people at all levels of the organization.

The Employees

While CEO-to-CFO spoofing attacks are still prevalent, attackers are becoming more sophisticated with the number of identities they take on (average of 10) and the number of employees they target (average of 13) within a given organization. They are targeting people deeper within organizations and across more business functions.

The Customers

Attackers use an organization’s brand and reputation to trick people into giving up something valuable. And while the organization itself did not do anything malicious, the general public will blame them for not implementing the right protocols to prevent these attacks, impacting their goodwill and their bottom line.

The Partners

More and more, we’re seeing criminals insert themselves into an organization’s supply chain, posing as a partner or vendor, and asking for future payments to be made to fraudulent accounts.  These partner spoofing attacks are much more difficult to detect and block and are typically realized much later when the business on the other end complains that they have not received payment.

2. Attackers have several tactics they can use to avoid being blocked

Display Name Spoofing: “Company <person@company.com”

Display name spoofing changes the visual queue of who the email is coming from and can be stopped using dynamic email classification capabilities at the gateway.

Domain Spoofing - “Company <person@company.com

This tactic hijacks an organization’s trusted domain and can be blocked by fully implementing DMARC email authentication on those domains.

Lookalike Domain Spoofing – “Company <person@c0rnpany.com”

Lookalike domains are registered by third parties and are outside of the control of the organization being spoofed. This tactic can be prevented by lookalike domain discovery solutions that detect, analyze and flag suspicious domains.

The frequency with which a given tactic is used varies quarter-by-quarter and from organization to organization. Point products only solve for part of the email fraud challenge. For example, you could buy one product that would stop a domain spoofing attack targeting an organization’s customers and a completely separate product that would prevent a display name spoofing threat aimed at a company’s employees. Point products also introduce security, compliance, and operational risks.

Proofpoint’s 360 Degree Email Fraud Solution

Proofpoint provides a comprehensive solution to protect your employees, customers, and partners from all forms of email fraud. From a single portal, you can see all impostor threats – regardless of the tactic used or the person being targeted.  With Email Fraud Defense, you can:

  • View all inbound impostor threats, such as display name spoofing and lookalike domain spoofing attacks, and block them at the Proofpoint gateway
  • Enforce DMARC authentication quickly and confidently to block fraudulent emails that spoof your trusted domains
  • Automatically identify and flag lookalike domains that are registered by 3rd-parties and are outside of your control

Learn more about how to protect against email fraud with our ebook, Stopping Email Fraud