Email fraud continues to impact companies of all sizes, in all industries, and in all locations. In Q2 of this year, the FBI released a report indicating that business email compromise (BEC) and email account compromise (EAC) scams have cost organizations more than $12.5 billion in losses.

And this past quarter brought additional headlines surrounding these highly targeted and socially engineered attacks. The US Securities and Exchange Commission (SEC) released an investigative report focusing on 9 companies that fell victim to BEC scams that accounted for nearly $100 million in losses. Additionally, the Department of Homeland Security’s (DHS) Binding Operational Directive 18-01 compliance deadline came in October which mandates the implementation of email authentication, an effective control used to block specific forms of email fraud.

To better understand email fraud and the trends surrounding this threat, Proofpoint regularly analyzes attacks we block that target thousands of organizations worldwide. In Q3 2018:

Companies were targeted more frequently than ever in Q3 2018

Though email fraud is a highly-targeted style of attack, fraudsters continue to target companies with greater frequency each quarter. In Q3, the average organization was targeted 36 times. That’s an increase of 80% year-over-year and 4% higher than Q2. The proportion of companies that were targeted by more than 50 BEC attacks in a quarter nearly doubled - from 11% to 20% - over the previous year.

In Q3, the number of identities spoofed within a given organization significantly decreased from 16 to 5 – returning to the average number seen through many previous quarters. This is understandable as these attacks are socially engineered and fraudsters are looking to spoof the identities of people with the greatest authority. While the number of identities spoofed decreased, the number of people targeted within the average organization remained at the high-level seen in Q2, which was 27 people. This represents a 96% year-over-year increase.  

Email fraud by industry and company size

Consistent with our previous quarterly research, there is no statistical correlation between the size of an organization and the frequency with which they are targeted. Companies in all industries are targeted by BEC and almost all industries were targeted more frequently in Q3 than in the previous quarter.

Pharmaceutical companies topped the list of industry verticals in Q3, with an average of 71 attacks per company—a 79% quarter-over-quarter increase. We continue to see companies within real estate as well as verticals with more complex supply chains targeted with greater frequency on average. For example, retail companies were targeted 144% more than at the same time last year and construction, engineering, and manufacturing remain highly favored targets. While almost all industries experienced greater quarter-over-quarter attack frequencies, the public sector and government institutions saw a 31% decrease in the number of targets from Q2.

Companies continue to be targeted by various fraud tactics

Attackers use multiple fraud tactics including display name spoofing, domain spoofing, and lookalike domains. Leveraging various tactics makes it more difficult to detect and block email fraud attacks. Using multiple tactics within a single attack was also common.

Display name spoofing is the easiest email identifier to spoof and is commonly used along with other fraud tactics. In Q3, 99.82% of BEC messages analyzed used this tactic.

Domain spoofing attacks continued to threaten organizations in Q3 as more than half of all companies (53%) were targeted by at least one BEC message using this tactic.

Lookalike domains are malicious domains registered by third parties. 9.42% of organizations were targeted by this tactic in Q3.

How to fight back against these threats

Email fraud is a multi-faceted problem that impacts multiple stakeholders and includes various tactics. While an organization’s employees are certainly at risk (BEC), criminals also target their customers and business partners. Companies need visibility across all these targets, as well as controls in place to stop all fraud tactics. These controls include email authentication, email classification through machine learning and policy capabilities, and domain monitoring.

For more in-depth email threat analysis, read our full report, “Protecting People: a Quarterly Analysis of Highly Targeted Attacks.”

Click here to learn about how Proofpoint’s EFD360 solution can protect your employees, customers, and partners from all forms of email fraud.