New data from Security vendor Agari shows how identity deception techniques are being used to fool recipient victims as organizations lack the needed safeguards to ensure emails are genuine.
As attacks evolve, methods change, and new targets are identified, organizations need to equally alter their security strategies to align in order to achieve the highest levels of cybersecurity possible.
But according to insight from Agari’s Q1 2020 Email Fraud & Identity Deception Trends Report, it appears that organizations are either not paying attention or are simply not adjusting security tactics to meet the threat. Agari reports that 68% of phishing attacks impersonate brands or individuals as a means to gain trust and motivate victims to act as desired by the attacker. According to the report:
- 36 percent use brand display name deception (e.g., using the name “Microsoft Support” but with a completely unrelated email address)
- 32 percent use individual display name deception (e.g., using the name “Bill Gates” in the display name and an unrelated email address)
- 20 percent use look-alike domains (e.g., microsooft.com)
- 12 percent use an actual compromised account
So, how are organizations – especially those brands that are a household name – addressing the problem? As part of a layered security strategy – particularly one that works to mitigate the threat of impersonation phishing attacks – should be using DMARC as a means to confirm a senders identity.
According to the report, only 15 percent of Fortune 500 companies have a DMARC record configured to reject emails that are illegitimate senders that would help prevent cybercriminals from impersonating their brands in phishing attacks.
The other half of the equation is the user. According to Agari, 60 percent of employee-reported phishing incidents are false positives. On the plus side, it’s good that employees are erring on the side of caution. But this also directly indicates that users are not being educated on how to properly identify a phishing email in the first place – which puts into question whether they would fall victim to an actual phishing scam.
Organizations need to put DMARC in place to help keep impersonated emails from reaching the user’s Inbox, and Security Awareness Training to properly instruct users on what to look for when finding an email suspicious and how to avoid falling prey to an attack.