Survey Confirms Increase in Phishing and Email Impersonation Attacks

The COVID-19 pandemic has seen an increase in email impersonation attacks on businesses, according to the latest State of Email Security report from Mimecast. In the first 100 days of 2020, email impersonation attacks increased by 30%.

The report was based on a survey conducted on behalf of Mimecast by Vanson Bourne on 1,025 IT decision makers in the U.S., UK, Germany, Netherlands, Australia, South Africa, United Arab Emirates (UAE), and Saudi Arabia between February and March 2020, while businesses were battling the COVID-19 pandemic. Mimecast also analyzed more than 1 billion emails screened by the company’s email security solutions.

60% of respondents to the survey reported an increase in email impersonation attacks such as business email compromise (BEC) over the past 12 months. There were an average of 9 email or web spoofing incidents detected by respondents in the past year, although there may be many others that they did not identify.

DMARC is important for protecting against email impersonation attacks and preventing brand damage. While 97% of respondents were aware of DMARC, worryingly, only 27% of respondents said they use it.

Ransomware continues to be a problem for businesses. 51% of respondents said ransomware had impacted their business in the past 12 months, with the attacks causing an average of 3 days of downtime.

58% of respondents said there had been an increase in phishing attacks over the past 12 months. 72% of respondents said the level of phishing had stayed the same or had increased, compared to 69% when the survey was last conducted in 2019.

IT decision makers do not hold out much hope that the situation will improve. 85% of respondents said they thought email and web-based spoofing attacks will either continue at the same level or increase over the next 12 months. There is also not a great deal of confidence about repelling these attacks. 60% said it is either inevitable or likely that they will experience an email-related data breach.

The relatively bleak outlook may have been influenced by the changes that have had to be made to working practices as a result of the pandemic. Transitioning from a largely office-based workforce to one that is almost entirely home based has introduced new risks and has made it harder for IT security teams to repel attacks.

Even though there is a high risk of experiencing an attack, there is still a lack of cyber resilience preparedness, and the value of regular security awareness training for the workforce does not appear to be appreciated. Despite the risk of phishing, spear phishing, and other email-based attacks, 55% of respondents said they do not provide security awareness training to the workforce on a regular basis and 17% said they only provide security awareness training once a year.

The attacks are proving costly to businesses. 31% of respondents said they experienced data loss and business interruption as a result of an email attack, and 29% said they experienced downtime as a result of a lack of preparedness.

The report also shows that email security defenses are lacking at many businesses. 40% do not have a system for monitoring and protecting against email-based attacks or data leaks in internal emails, 39% do not monitor or protect against email-based malware, and 42% do not have a system that automatically removes malicious or unwanted emails from employee’s inboxes.

The survey revealed businesses are aware of the importance of having a cyber resilience strategy. In 2019, 75% of respondents said they either had or were rolling out such a strategy. The percentage increased to 77% this year. Considering the number of respondents that have experienced data loss, downtime, and drops in productivity due to email attacks, those strategies cannot be implemented too soon.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.