Vendor cyber Email Compromise Will Skyrocket in 2020, Reports Email Security Firm Agari
Email security and anti-phishing firm Agari’s much-anticipated annual list of predictions is out and shows that top information-security professionals will grapple with a very different type of attack going into the new year. Fortune 1000 CISOs can expect fewer malware attacks, the company says.
“We fully expect cybergangs and cyber-criminal organizations will organize and attempt fewer technical cyber attacks, like malware, starting early in 2020,” said Agari CMO and Chief Identity Officer, Armen Najarian. “Instead, companies need to watch out for low-tech and social-engineered attacks at scale. These types of threats are the most effective, thus harmful.”
- VEC Becomes the #1 Email Security Threat
In 2020, the form of BEC known as vendor email compromise (VEC) will emerge as the top attack modality for email fraudsters targeting the enterprise. In VEC attacks like the kind launched by the cyber crime group we’ve dubbed Silent Starling, fraudsters hijack corporate email accounts, spy on communications, and then impersonate the account’s legitimate owner in emails aimed at defrauding companies throughout the extended supply chain. It’s easy to see the appeal. While a traditional BEC scam can net fraudsters an average $50,000, revenues from a successful VEC attack average $125,000, according to FinCEN.
- More Social Engineering Scams Target Business—and the 2020 Elections
The good news: There are likely to be fewer malware attacks in 2020. The bad news: Cyber criminal organizations will launch less technical, social engineering-based email attacks at a larger scale. Not only are these attacks much harder to detect than phishing emails containing malicious links or content, they can be just as harrowing. In the year ahead, cyber crime rings won’t be the only ones using these tactics. Iran, Russia, China and other foreign threat actors will seek to hack the email accounts of US presidential campaigns in hopes of influencing the 2020 elections, diverting campaign donations and spoofing campaign brand domains. The Election Security Registered Voter Poll, taken at the end of Oct. 2019, found that 44% of the registered voters said they believe many of the presidential campaigns have already been hacked; and of those, 79% believe that at least some portion of campaigns have been hacked, but just don’t yet know it.
- Credential Phishing, Data Breaches Democratize Email Fraud
Nonstop data breaches will drive the growing availability of millions of compromised email credentials such as Collection #1, making it simpler than ever to take over a high-value target’s email account. Look for a boom in Phishing-as-a-Service (PaaS) offerings, as well as a proliferating number of turnkey phishing kits. Ranging from free to $300, phishing kits typically include zip files with the HTML, PHD files, images and other assets needed to set up phishing sites that replicate legitimate login pages for trusted brands such as DropBox, Adobe, Microsoft, LinkedIn, and more. Randomization generators create multiple URLs so that if one URL gets blacklisted, the other URLs still function. The vast majority of sites have lifespans of as little as 24 hours to avoid being taken down.
- One Major US Corporation Loses $50 Million to Insider Email Scheme
When phishing attacks originate from a coworker, or an employee for a trusted supply chain partner, detection can come too late. Especially when the goal isn’t direct financial theft. Exfiltration of competitive intelligence and strategies, IP, and valuable customer data is a very real threat. The average costs associated with data breaches now top $8.2 million per incident for US-based companies. For mega-breaches, costs can run as much as $388 million or more. And that’s before any regulatory fines or lawsuits. Considering the $37 million loss one Toyota subsidiary recently suffered from an outsider email attack, it’s not unfathomable that a major corporation will face $50 million in losses from an insider-based wire fraud or credentials phishing attack that results in a data breach in 2020.
- Voice Technology Expands the BEC Attack Surface
“Alexa, can you hack my email?” In coming months, voice tech will be weaponized in new cyber attacks. As relatively insecure forms of continuous data recording (CDR) technology are inevitably hacked, cybercriminals will combine spoken login credentials and the deepfake-enabled “voices” of trusted executives in their phishing schemes. Just ask the German company that recently paid out $243,000 in what may have been the first deepfake-enabled BEC attack. Increasingly, email security will require an adaptive authentication-based approach that leverages ML to analyze thousands of indicators—identity, device, location, behavioral and more—to accurately assess and act on risk.
- Pressure Builds for New Email Security Mandates in the Private Sector
Expect calls for new regulations that emulate the US Department of Homeland Security’s Binding Operational Directive BOD 18-01, which requires executive branch agencies to adopt Domain Message Authentication Reporting and Conformance (DMARC). This standard email authentication protocol helps organizations protect their domains from being pirated and impersonated in email attacks. Today, most executive branch agencies have fully implemented DMARC, while 82% of the Fortune 500 remains vulnerable to impersonation attacks targeting their customers, partners, investors and the general public. Watch for any proposed mandates to encompass DMARC, cyber-insurance, and advanced threat protection through a defined set of email security controls.