Employee-Reported Phishing Attacks Climb 65%, Clobbering SOC Teams

4 min readAug 26, 2020

This article originally appeared on the Agari Email Security blog.

By Crane Hassold

Scams related to COVID-19 helped fuel a 65% increase in employee-reported phishing attacks during the first half of 2020, according to our mid-year Phishing Incident Response Survey of SOC professionals at 13 large organizations spanning a cross-section of industries.

Even before the outbreak, phishing was implicated in nearly 7 in 10 corporate data breaches, prompting many organizations to arm employees with the ability to forward suspect emails to SOC teams at the push of a button.

But the survey, part of our H2 2020 Email Fraud & Identity Deception Trends Report, finds that employee-related phishing incidents at participating organizations topped 4,521 during the first half of the year — far more than their SOC teams could possibly handle.

What’s worse, 67% were false positives, a 7% increase in just six months. As a result, analysts were forced to waste valuable time while legitimate email threats, and any potential data breaches resulting from them, went undetected.

It isn’t all bad news, however. According to respondents, organizations employing automated response technologies found they were able to neutralize the much larger number of phishing emails that went unreported, while accelerating time-to-containment.

From the looks of things, we’d all better hope these organizations are onto something.

Outbreak: Phish Most Foul

Phishing attacks, business email compromise (BEC) scams, and other advanced email threats have accounted for more than $8.6 billion in annual business losses since 2016 — more than $26 billion in total. Then came 2020. Data captured in our report shows a 3,000% increase in email attacks from early-March through mid-June. And the FBI reports it has already received more complaints about phishing and other online scams than all of 2019.

It’s easy to see why. The upheaval sparked by the pandemic, and the emotional levers it made available to cyber-swindlers, were a social engineer’s dream come true. Take for instance, malicious emails with the subject line, “HR: Company Policy Notification: COVID-19,” a particularly contemptible lure that ranked among the top 10 used in phishing attacks over the last three months, according to TechRepublic.

It doesn’t help that a recent study shows that one-third of all employees will click on a malicious link or obey a fraudulent email request in phishing simulations. The fact that so many of the rest of their emails seem to be false positives sent to the SOC team isn’t exactly helpful, either.

That’s because every minute spent investigating harmless email messages means credentials-harvesting phishing attacks continue to lurk in employee inboxes, increasing the likelihood of a data breach.

According to Verizon’s 2020 Data Breach Investigations Report, 25% of all breaches go undetected for at least a month or more. And Ponemon Institute estimated the costs associated with a breach now average $8.2 million per incident for US-based companies.

Automated Phishing Response to the Rescue?

According to the companies included in our mid-year survey, automation is critical to preventing these kinds of incursions from ever happening, and dramatically reducing detection and containment times for those that do.

This is in part because on average, automated processes enable these organizations to uncover 90X more malicious emails than through manual employee reporting alone.

In fact, out of 4,285 verified phishing emails reported during the first half of 2020, organizations with automated phishing response processes identified 643,692 additional email threats that were either similar or directly related to those reported by employees — a 100% increase in just six months. According to survey respondents, this has translated into direct savings and increased efficiencies while avoiding breach costs.

Meanwhile, organizations employing continuous detection and response (CDR) technologies enhanced by shared threat intelligence identified an additional 5,553 malicious messages beyond those detected through automated phishing response alone.

For those unfamiliar with them, CDR technologies identify latent threats that have evaded initial detection by using dormant payloads, new impersonation techniques, or “time-bombed” URLs that redirect post-delivery. By using the latest information from newly detected threats and then analyzing company-wide email metadata, CDR forensically recognizes and removes latent threats from all employee inboxes automatically.

Conquering a Countdown to Disaster

For organizations in our survey, this isn’t just about ferreting out more phishing emails to avoid breaches and phishing schemes. It’s also about doing it faster.

According to respondents, malicious phish reported by end users are remediated within 36 minutes with the aid of automation to help prioritize threats according to the potential damage they pose to the organization as well as impact analysis to identify all affected employee inboxes.

This kind of velocity matters, a lot. According to research from Aberdeen, there’s a 30% chance of a first-user click on a malicious email within 60 seconds of delivery, with a median time-to-first click of just 134 seconds.

If our mid-year phishing response survey results are any indication, automation is key to beating the clock for advanced email attacks — especially when the social engineering tactics used in phishing attacks continue to grow more devious — and more effective by the day.

To learn more, download a complimentary copy of the H2 2020 Email Fraud and Identity Trends Report from the Agari Cyber-Intelligence Division (ACID).




Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.