REPORT. Year In Review. proofpoint.com

Similar documents
EBOOK. Stopping Fraud. How Proofpoint Helps Protect Your Organization from Impostors, Phishers and Other Non-Malware Threats.

Machine-Powered Learning for People-Centered Security

REPORT. proofpoint.com

EBOOK. Stopping Fraud. How Proofpoint Helps Protect Your Organisation from Impostors, Phishers and Other Non-Malware Threats.

with Advanced Protection

TABLE OF CONTENTS Introduction: IS A TOP THREAT VECTOR... 3 THE PROBLEM: ATTACKS ARE EVOLVING FASTER THAN DEFENSES...

2018 Edition. Security and Compliance for Office 365

An Ounce of Prevention

Evolution of Spear Phishing. White Paper

Security and Compliance for Office 365

Automated Context and Incident Response

The Credential Phishing Handbook. Why It Still Works and 4 Steps to Prevent It

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

BUILDING AN EFFECTIVE PROGRAM TO PROTECT AGAINST FRAUD

building an effective action plan for the Department of Homeland Security

2018 Edition. A Practical Guide to Protecting Your Organization. proofpoint.com

The. Guide. Managing Business Compromise and Impostor Threats to Keep Your Organization Protected

Security & Phishing

ybersecurity for the Modern Era Three Steps to Stopping malware, Credential Phishing, Fraud and More

Trustwave SEG Cloud BEC Fraud Detection Basics

THE CLOUD SECURITY CHALLENGE:

PEOPLE CENTRIC SECURITY THE NEW

The Cost of Phishing. Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015

Data Privacy in Your Own Backyard

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Cyber Insurance: What is your bank doing to manage risk? presented by

Phishing in the Age of SaaS

NOT PROTECTIVELY MARKED PHISHING. July 2016

DMARC Continuing to enable trust between brand owners and receivers

Employee Privacy in the Electronic Workplace

How to Conquer Targeted Threats: SANS Review of Agari Enterprise Protect

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

Phishing Activity Trends

Webroot Phishing Threat Trends

CYBER SECURITY RESOURCE GUIDE. Cyber Fraud Overview. Best Practices and Resources. Quick Reference Guide for Employees. Cyber Security Checklist

DMARC ADOPTION AMONG

Webomania Solutions Pvt. Ltd. 2017

Proofpoint, Inc.

Best Practices in Securing a Multicloud World

Office 365 Buyers Guide: Best Practices for Securing Office 365

Phishing Discussion. Pete Scheidt Lead Information Security Analyst California ISO

Q WEB APPLICATION ATTACK STATISTICS

Wire Fraud Begins to Hammer the Construction Industry

Phishing Activity Trends Report October, 2004

Phishing Activity Trends Report August, 2006

FRAUD DEFENSE: How To Fight The Next Generation of Targeted BEC Attacks

Governance Ideas Exchange

Personal Cybersecurity

The security challenge in a mobile world

THALES DATA THREAT REPORT

Phishing Activity Trends Report August, 2005

CE Advanced Network Security Phishing I

WHITEPAPER. Protecting Against Account Takeover Based Attacks

REPORT. proofpoint.com

U.S. State of Cybercrime

GLBA. The Gramm-Leach-Bliley Act

Kaspersky Security for Microsoft Office 365

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

How Enterprise Tackles Phishing. Nelson Yuen Technology Manager, Cybersecurity Microsoft Hong Kong

Preventing fraud in public sector entities

Phishing: When is the Enemy

Phishing Activity Trends Report March, 2005

ISE Cyber Security UCITS Index (HUR)

IC B01: Internet Security Threat Report: How to Stay Protected

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Maintaining Trust: Visa Inc. Payment Security Strategy

Phishing Activity Trends Report January, 2005

Evaluating DMARC Effectiveness for the Financial Services Industry

The 2017 State of Endpoint Security Risk

Correlation and Phishing

KnowBe4 is the world s largest integrated platform for awareness training combined with simulated phishing attacks.

CLICK TO EDIT MASTER TITLE STYLE Fraud Overview and Mitigation Strategies

Cyber Security Updates and Trends Affecting the Real Estate Industry

How to recognize phishing s

Business Compromise: Operation Wire Wire & New Attack Vectors

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and the Case For Automated Sandboxing

Your security on click Jobs

A GUIDE TO CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING

STOPS CYBER ATTACKS BEFORE THEY STOP YOU. Prepare, recognize, and respond to today s attacks earlier with Verizon Security Solutions.

Phishing Activity Trends

Agari Global DMARC Adoption Report: Open Season for Phishers

Turning the Tide: Fending off Cyber Threats

Keep the Door Open for Users and Closed to Hackers

mhealth SECURITY: STATS AND SOLUTIONS

Scam Call Trends and Projections Report

Getting over Ransomware - Plan your Strategy for more Advanced Threats

Fraud Update: Why Fraudsters Love Wires and How to Stop Them. Luis Rojas, Director, Product Management WesPay 2014

Quick recap on ing Security Recap on where to find things on Belvidere website & a look at the Belvidere Facebook page

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Bank of america report phishing

New SEC Cyber Report Puts Spotlight On Accounting Controls

As Enterprise Mobility Usage Escalates, So Does Security Risk

Fighting Fraud with Behavioral Biometrics and Cognitive Fraud Detection. IBM Security s Brooke Satti Charles on the Power of These New Capabilities

An Executive s FAQ About Authentication

Target Breach Overview

Nigerian Telecommunications Sector

A Layered Approach to Fraud Mitigation. Nick White Product Manager, FIS Payments Integrated Financial Services

Are you YOUR COMPANY S DIGITAL FOOTPRINT?

Defending Our Digital Density.

Applying biometric authentication to physical access control systems

Transcription:

REPORT Year In Review proofpoint.com

Email fraud, also known as business email compromise (BEC), is one of today s greatest cyber threats. These socially engineered attacks seek to exploit people rather than technology. They are highly targeted, sent in low volumes, and impersonate people in authority. Email fraud preys on human nature fear, the desire to please, and more to steal money and valuable information from employees, customers, and business partners. Proofpoint analyzed more than 160 billion emails sent to more than 2,400 companies spanning 150 countries. Here are our findings for 2017.

3 EMAIL FRAUD In email fraud attacks, an email or series of emails purporting to come from a top executive or partner firm asks the recipient to wire money or send sensitive information. It does not use malicious attachments or URLs, so it can be hard to detect and stop. Email Fraud Continues to Soar EMAIL FRAUD was rife in 2017. While the threat continues to be highly targeted, attacks were launched against more organizations and more frequently vs. 2016. The percentage of companies targeted by at least one email fraud attack steadily rose, reaching a new high of 88.8% in Q4. That s up 13.8 percentage points over the 75.0% of organizations targeted in the year-ago quarter. On average, companies were targeted by 18.5 fraudulent emails per quarter, up 17% over the previous year. In sheer volume, the year ended with two of the three biggest quarters that we ve ever seen for email fraud. Business Email Compromise attacks detected and blocked by Proofpoint Q3 and Q4 represented two of the three biggest quarters we've ever recorded in email fraud volume. 25,000 20,000 2016 2017 15,000 10,000 5,000 0 Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec FRAUDSTERS REACH FURTHER DOWN THE ORG CHART Criminals have moved beyond CEO-to-CFO spoofing as they expand their reach within organizations. Spoofing more identities After holding steady for the first three quarters, the average number of identities spoofed per organization more than doubled in Q4 to about 10 identities. This shift makes sense. As security teams ramp up efforts to warn employees of CEO spoofing threats, the bad guys find other authority figures to impersonate. Nearly half (47%) of organizations had more than five identities spoofed in Q4, nearly double the previous quarter s total. Targeting a wider range of roles The average number of people targeted overall within a given organization leveled off in Q4 at about 13. But criminals are targeting people deeper within the org chart and across more business groups, such as HR and accounts payable. In many cases, they can craft a convincing email using social engineering and employee information widely available on the web and social media. As attackers dug further down the org chart in Q4, 41% of targeted companies faced attacks in which more than five identities were spoofed and more than five employees were targeted.

4 Identities Spoofed vs. Emails Sent Moving on from simple one-to-one attacks, fraudsters are impersonating more authority figures and targeting more people within the organization. We call these many-to-many attacks. ONE-TO-ONE ATTACKS In one-to-one email fraud, an attacker spoofs one identify (typically the CEO) and targets one recipient (typically the CFO). One One One Some One Many Some One Some Some Some Many Many One Many Some Many Many MANY-TO-MANY ATTACKS In many-to-many attacks, fraudsters impersonate multiple executives and target several recipients. For example, an attacker might try impersonating several managers and target a company s whole finance team. 40% 30% 20% 0% Q3 2016 Q4 2016 Q1 2017 Q2 2017 Q3 2017 Q4 2017 TO ATTACKERS, SIZE DOESN T MATTER Fraudsters target organizations of all sizes. They are also opportunistic, targeting companies across all industries. Companies of all sizes attacked We have seen almost no connection between company size and how often it is targeted by email fraud since we started tracking this information in 2016. Only one quarter (Q2 of 2017) showed any correlation at all attackers revealed a slight preference for larger targets. Attackers Target Many Industries Financial services and manufacturing are among the most frequently targeted. But we saw widespread email fraud attacks across all industries. Financial Services Manufacturing Health Care Energy/Utilities 20,000 16,000 12,000 8,000 4,000 0 Q4 2016 Q1 2017 Q2 2017 Q3 2017 Q4 2017 That attacks fall on small and large targets evenly may seem surprising. But from the attacker s point of view, the pattern makes sense. Larger organizations may be richer targets. But smaller entities are often more vulnerable to these advanced threats.

5 Attackers target many industries In earlier research, we saw a mostly uniform spread of email fraud attempts across industries. (Though the financial services, manufacturing, healthcare, and energy/utility sectors were targeted slightly more frequently.) In Q4, attackers targeted new industries. In real estate, criminals found new ways to cash in on high-value transactions. And in education, attacks jumped 77% from the previous quarter and 120% over the year-ago period. SHIFTING EMAIL FRAUD TACTICS To evade traditional security tools and reach their victims, fraudsters are always changing their technique. Subject Lines Used in Email Fraud Attempts "Payment," "request," and "urgent" are always popular subject lines, but we saw a spike in legal-related subjects in Q4 Payment Request Urgent Other Greeting Blank W2, FYI, Where are you? Document, Date, Legal, Confidential, Tax Q1 2017 Q2 2017 Q3 2017 Q4 2017 WIRE-TRANSFER FRAUD In wire-fraud scams the attacker sends an email impersonating an executive. The email tricks the recipient into wiring money by disguising the transfer as a normal business transaction or an important deal that requires secrecy. W2 SCAMS In this scam, someone spoofing an executive asks the finance department to send employee records. Those records are then used for identity theft and other attacks. It s named after the W2 tax form U.S. employers use to report worker wages. Wire fraud WIRE-TRANSFER FRAUD continues to be the most frequent form of email fraud at nearly 27% of email fraud message volume. Email subject categories usually include some variation of the word payment. Tax scams W2 TAX-DOCUMENT SCAMS increased in the first quarters of each of the past two years, probably due to the looming U.S. filing deadline. For instance, we saw a 3,408% spike in Q1 vs. the previous quarter. In Q2 as the filing deadline passed, the volume of these attacks dropped down to a steady state. Shifting personas and subject lines Attackers take on a range of personalities to impersonate a trusted authority. Throughout 2017, email fraud attacks shifted between subject categories that included urgent and those that included request. Urgent and request Messages that fall under the urgent subject category are typically more direct and concise. Messages that include request in the subject line take a softer approach. They establish more of a back-and-forth rapport before asking for the prized information. Legal Two more subject categories spiked in Q4: those that included a date and those that included legal. Though still small in absolute terms, attacks that took a legal angle grew 1,850% over the previous year. The most rampant of these scams had an email subject that read lawyer s call.

6 In these attacks, the fraudster typically tries to move the interaction away from email and direct the wire transfer over the phone. These attacks work because the attacker impersonates someone in authority but whom the victim doesn t normally work with. And because much of the contact takes place offline, these scams are harder for security teams to detect and stop. Fabricated email histories Fraud attempts that included fake email histories rose each quarter of 2017. This technique uses Re: or Fwd: in the subject line, a false email history, or both. The fabricated email chain appends a realistic-looking email history that suggests that the required stakeholders have already approved the request. In Q4, more than 11% of all email fraud attacks included a version of this technique. That s up from 7.3% from the same quarter, one year ago. DOMAIN- AND DISPLAY-NAME SPOOFING LEAD ATTACK TECHNIQUES Over the course of 2017, the mix of email fraud messages shifted between domain spoofing, display-name spoofing, and lookalike domain (or cousin domain) attacks. DOMAIN-SPOOFING Spoofing impersonates trusted colleagues or contacts by making an attacker s emails appear to come from a legitimate and expected address. DISPLAY-NAME SPOOFING Domain-name spoofing places a familiar name and email address in the From: field that users see on incoming emails. When the recipient replies, the response actually goes to the address specified in the email s Reply to: header. DMARC DMARC, which stands for Domainbased Message Authentication, Reporting and Conformance, is an email authentication protocol that can prevent many email fraud attacks. Domain spoofing DOMAIN-SPOOFING attacks, in which criminals hijack an organization s trusted email domains, continue to make up a large portion of email fraud attacks. In Q4, 69% of organizations targeted by email fraud saw at least one domain-spoofing attack. And for all of 2017, nearly 93% of organizations were targeted by one. Display-name spoofing DISPLAY-NAME SPOOFING through web-based email services accounted for about 40% of email fraud attacks in Q4. Aol.com and gmail.com were the preferred sending domains for these threats, though attackers also use many other domains. DMARC adoption Domain-spoofing attacks can be prevented by implementing DMARC email authentication. It s no wonder we saw significant initiatives to increase DMARC adoption in 2017. In October, the U.S. Department of Homeland Security issued Binding Operational Directive 18-01. The directive aims to increase security for people who receive email from federal agencies or visit a federal website. A key part of the directive orders all civilian federal agencies to deploy DMARC quickly. At the time the directive was announced, nearly 1 in every 8 emails sent from a.gov email address was fraudulent. Only about 17% of the agencies had adopted DMARC. About 90 days into the initiative, that percentage has more than tripled. Nearly 52% of agencies have hit the first DMARC milestone deadline. Federal DMARC Deployment Among Civilian Agencies More agencies are rolling out email authentication in the wake of a federal directive. But nearly half have still not met the first milestone. 100% 80% 60% No Yes 40% 20% 0% October November December January

7 Shortly after the directive was announced, National Health Information Sharing and Analysis Center (NH-ISAC) an industry group that helps healthcare providers share security information asked its members to pledge to deploy DMARC in 2018. LOOKALIKE-DOMAIN SPOOFING In lookalike-domain spoofing, attackers register domain names deceptively similar to those of trusted brands. A CLOSER LOOK AT LOOKALIKE DOMAINS LOOKALIKE-DOMAIN SPOOFING, in which the attacker registers a domain confusingly similar to a trusted domain, is another effective tactic. Attackers trick people into giving up valuable information with emails that appear to be from someone familiar. Attackers craft these impostor domains by making small, hard-to-notice changes to the original domain. They may swap out individual characters, such as the numeral 0 in place of the letter O. Or they may insert characters, such as adding an S at the end of the domain. The volume of lookalike domain attacks is not as high as display-name and domain spoofing. That s probably because the technique requires the attacker to register a domain, which costs money. But given that a single trusted domain name could have countless similar-looking variations, attackers have many openings to launch such attacks. Character shifting Like other email fraud tactics, lookalike domain techniques change every quarter. But looking across 2017, individual character swapping was the most popular, occurring nearly 38% of the time. The most common swaps were: An L in place of an I (17.4%) The numeral 0 for the letter O (8.7%) V for U (8%) Character-Swapping in Lookalike Domains Because some characters resemble others, fraudsters have many options for creating domains that look like yours. swapped I with L swapped O with 0 swapped U with V swapped L with I swapped G with Q swapped A with E swapped O with A swapped E with A swapped L with 1 Q1 2017 Q2 2017 Q3 2017 Q4 2017 swapped A with O 0% 20% 40% 60% 80%

8 Inserting characters Impostor domains that inserted an additional character occurred about 34% of the time over the year. The most common inserts were: An I (23.7%) An R (19.3%) An L (15.4%) Inserted Characters Used in Lookalike Domains Additional characters can be hard to spot in email addresses, giving fraudsters new variations of trusted email domains. inserted an I inserted an R inserted an L inserted an S inserted an E inserted a C inserted an N inserted a V inserted an A Q1 2017 Q2 2017 Q3 2017 Q4 2017 inserted a T 0% 20% 40% 60% 80% 100% Other techniques Another popular technique is adding or removing a leading or trailing character within the domain. This approach accounted for about 13% of registered lookalike domains. HOMOGRAPH SPOOFING Homograph spoofing mixes character sets from different languages to create lookalike domains that appear identical to people but are actually different to a computer. For example, an unsafe domain that uses the Cyrillic A would look the same as a trusted domain that uses a Latin A. Other lookalike domain spoofing tactics include: Hyphenating Removing characters Using typographs and HOMOGRAPHS CONCLUSION AND RECOMMENDATIONS Despite organizations large investments in security, email fraud is on the rise. Cyber criminals are becoming more advanced. They are evading traditional security solutions, leaving employees as the last line of defense. Email fraud tactics are always shifting. That s why you need a multi-layered defense that includes: 1. DMARC email authentication. Block all impostor attacks that spoof trusted email domains. 2. Dynamic classification. Analyze the content and context of the email to stop display name spoofing and cousin domain tactics at the email gateway. 3. Lookalike domain discovery. Identify and flag potentially risky domains registered by third parties. 4. Data loss prevention. Prevent sensitive information, such as W2s, from leaving your environment.

9 Are you equipped to stop email fraud? Get a free DMARC assessment to quickly understand your potential exposure to risk and see how DMARC authentication can help you prevent email fraud. proofpoint.com/us/learn-more/dmarc-assessment ABOUT PROOFPOINT Proofpoint, Inc. (NASDAQ:PFPT), a next-generation cybersecurity company, enables organizations to protect the way their people work today from advanced threats and compliance risks. Proofpoint helps cybersecurity professionals protect their users from the advanced attacks that target them (via email, mobile apps, and social media), protect the critical information people create, and equip their teams with the right intelligence and tools to respond quickly when things go wrong. Leading organizations of all sizes, including over 50 percent of the Fortune 100, rely on Proofpoint solutions, which are built for today s mobile and social-enabled IT environments and leverage both the power of the cloud and a big-data-driven analytics platform to combat modern advanced threats. Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. www.proofpoint.com 0118-051

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback