20% of Advanced Email Scams Now Launched from Hijacked Accounts

5 min readFeb 4, 2019

By Fareed Bukhari, Director of Product Marketing at Agari

Recent increases in phishing, business email compromise (BEC), and other advanced email scams may be tied to a dramatic rise in attacks launched from hijacked email accounts, according to the Q1 2019 Email Fraud & Identity Deception Trends Report from the Agari Cyber Intelligence Division.

The report, based on Agari data captured from October through December 2018, finds that account takeover (ATO)-based email attacks now account for 20% of all advanced email threats targeting businesses. For businesses hit with an endless barrage of incoming attacks, that’s bad news.

ATO-based scams rank among the most difficult to detect, precisely because they’re launched from compromised email accounts belonging to trusted brands or individuals — making them seem legitimate to email filters and recipients alike.

Of course, schemes designed to manipulate recipients into revealing login credentials for email and other sensitive business systems have always been a huge risk to organizations, especially because it leads to an increased risk for data breaches. But in recent months, ATO-based business email compromise scams have been growing increasingly costly to the organizations that fall prey to them — especially as these attacks get easier for cybercriminals to pull off.

Making BEC a Breeze

Despite growing awareness, BEC scams surged 60% in 2018, according to the FBI. And the results haven’t been pretty.

In October, the SEC issued a report on nine publicly-traded companies that were swindled out of $100 million through BEC schemes. One company made 14 separate wire payments for fake invoices over the course of several weeks, racking up $45 million in losses. Another lost $30 million, while the rest lost an average of $3.5 million each.

In at least two cases, the cybercriminal organizations behind the attacks had taken over email accounts belonging to executives at outside suppliers. According to a study from Osterman Research, a staggering 44% of all businesses have been victimized by ATO-based impersonation rackets like this. And the barriers to entry are falling fast.

As it stands now, an ever-expanding marketplace for stolen email login credentials means it’s easier than ever to take over the accounts of high-value targets. Credentials belonging to high-value targets within finance and HR, for instance, are readily available on the dark web for anywhere from $150 to $500. In fact, scam artists can even just outsource their cons for as little as $150. Many of these BEC-as-a-Service offerings promise results in as little as a week.

Outlook 2019: More Outrage Ahead

The impact of this form of attack cannot be overstated. After all, a successful account takeover doesn’t just give fraudsters the ability to impersonate the account’s legitimate owner. It also gives them access to the individual’s contacts, ongoing email conversations, and historical email archives — making it possible to craft new scams made all the more appalling by their uncanny personalization and devastating effectiveness.

Today, each successful ATO-based attack results in at least three subsequent account takeovers. Indeed, the data captured in the Q1 report points to the potential for major criminal offensives in the months ahead.

Look for the types of attacks to metastasize as well. While 78% of ATO attacks are currently phishing scams aimed at harvesting more credentials, the SEC report suggests that larger-scale wire fraud-centered BEC campaigns could be in the works.

Email’s Identity Crisis

While the rise in ATO-based BEC attacks is alarming, they’re just one of the ways cybercriminals impersonate trusted businesses and individuals. Data captured in the Q1 report shows display name deception continues to be the tactic of choice for cybercriminals, accounting for 63% of all impersonation-based email attacks.

What’s more, the data finds brand impersonation drove 50% of these attacks in the fourth quarter — with Microsoft impersonated in 70% of these assaults. Microsoft is a common target for credential phishing because Office 365 accounts can be used in subsequent ATO attacks. But perhaps the biggest surprise was the increase in attacks impersonating the IRS — likely due to the impending tax season.

A different pattern emerges for executive targets as one-third (33%) of advanced email attacks against C-level employees use display name deception that impersonates an individual as opposed to a brand name — a common tactic for business email compromise (BEC) attacks targeting CFOs.

In all, the volume and severity of new BEC attacks continues to be unrelenting. As it stands now, the number of attacks launched from compromised email accounts is growing at an unprecedented rate. And financial losses from ATO scams are now up 2,370% just since 2015.

Fighting Back, or Rolling Over?

Indeed, with average losses from a successful BEC scam trending as high as $1.6 million, and an average of $7.9 million in additional costs if it leads to a data breach, how organizations react to the new wave of account takeover-based BEC attacks is of paramount importance.

Yet, it’s unclear why more organizations haven’t yet deployed modern, AI-based technologies capable of mapping email communications across users, organizations, and infrastructures. These technologies have been shown to help organizations to better detect, defend against, and deter advanced email attacks of all kinds — even those launched from hijacked accounts.

As you’ll see in the second part of this series, it’s clear that organizations could also benefit from automating their incident response processes, so they can remediate attacks and track down breaches as quickly as possible. Especially with the financial losses, regulatory fines, reputational damage that can stem from successful breaches.

To learn more about the threat from account takeover-based BEC scams, download a copy of the Q1 2019 Email Fraud & Identity Deception Trends Report.




Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.