The new State of Email Security Threat Report from Armorblox offers security leaders a deeper understanding of the emerging threats, threat trends that happen over email and highlights some of the significant changes in the threat landscape in the past year. 

The Report also provides a common reference point for defining commonly misused terms around the nature of these attacks and so the industry has a framework for classifying these emerging threats.

Key Insights

  • Language based attacks have become the new normal for business email compromise (BEC). 3 out of 4 (74%) business email compromise attacks used language as the main attack vector.
  • Email-based financial fraud has become very sophisticated. 2 out of 5 (44%) financial fraud attempts happen as wire fraud, invoice fraud, or vendor fraud.
  • Attackers have realised that so many critical business workflows happen over emails, and this has become the primary attack mechanism for credential phishing. 9 out of 10 (87%) credential phishing attacks looked like legitimate common business workflows in order to trick end users to engage with the email.
  • Security teams spend a lot of time configuring rules and exceptions in their native email security solutions to block impersonation emails — both for executives and other employees.
  • Despite all that manual work and rule writing, 3.5 out of 5 (70%) impersonation emails slipped past native email security controls.
  • The rise of SaaS solutions driving business workflows has also created a big surge in brand impersonation of companies in this space. Dropbox, Microsoft, and DocuSign were among the most impersonated brands in 2021.

State of Email Security Threats

During the time that that report was compiled, the latest IC3 report from the FBI was released. Based on reported complaints between June 2016 and December 2021, domestic and international exposed dollar losses due to business email compromise stands at $43.3 billion. Also, the volume of disclosed losses has exponentially increased year after year during this time as well.

This also echoes the challenges that we hear from security teams – that despite increasing security budgets every year, email-based attacks remain the top attack vector within organisations.  We are witnessing a significant shift in the market landscape as well.

The top two legacy email security vendors were both taken private by private equity firms in 2021, representing $1.5 billion in revenue. Several other legacy vendors were acquired and taken out of the market by larger players as well.

These trends also indicate that legacy approaches are not working and too many attacks are slipping through. Why is this? What has changed in how attackers target organisations? Armorblox highlight some of the significant trends:

  • Attackers are moving away from tried and tested approaches from prior decades of using malicious links or attachments in broad based attack campaigns, to targeted attacks where the language in the email is used to compromise a user’s trust. This could manifest itself as fake wire transfer instructions, direct deposit change requests, password reset emails, or other common business workflows that happen over email.
  • Whack-a-mole approaches of manual rule writing to block these newer attack types have remained unsuccessful and have caused repetitive, redundant, manual work for security teams.
  • SOC teams have to comb through large volumes of potential phishing emails that users have reported to see which are legitimate emails and which need to be immediately deleted and removed from user mailboxes.

Moreover, as more security infrastructure moves into the cloud, security teams have become more loath to manually configure and maintain DNS and MX record rules to route emails through inline secure email gateways.

Business Email Compromise

Business Email Compromise (BEC) attacks are notoriously difficult to prevent. Attackers rely on social engineering techniques to persuade people into acting on the attacker’s behalf. As a result, traditional email security solutions that analyse email headers, links, and metadata often miss these attacks.

Armorblox’ research suggests that the number of BEC attacks targeting organisations increased by 74% in 2021. These BEC attacks target organisations across sectors and use language, malicious links, and common business workflows as the proxy to compromise employees and steal money, credentials, or sensitive data.

Researching the most prevalent strategies for BEC attacks identifies the following trends

  • 74% of BEC attacks were language-based
  • 15% of BEC attacks had a malicious payload
  • 4% of BEC attacks related to common business workflows
  • 7% of BEC attacks were unwanted solicitation or graymail

One of the challenges in how BEC is used in the industry is that it represents a broad swathe of attack types. In addition to the socially engineered emails that pose an immediate threat, graymail is emerging as a category that can lead to malicious attacks.

Financial Fraud

Email-based financial fraud attacks attempt to steal money from targeted organisations. The most common categories identified were payment fraud, vendor fraud, and payroll fraud.

  • Payment fraud attacks are email attacks that contain requests for inflated, duplicate, or fake invoices or fake wire transfer requests.
  • Payroll fraud attacks happen when attackers email an organization’s payroll, finance, or human resources department, impersonating a legitimate employee with a request to update direct deposit information for their paychecks.
  • Vendor fraud attacks are the result of compromised third-party accounts, utilising the trusted reputation of the vendor or end clients. These can also happen through vendor domain impersonation plus social engineering tactics in an effort to steal money and sensitive data.

There has been a 73% increase in financial fraud email threats year-over-year from 2021 to 2022.

Financial Fraud Attack Types in 2021

  • Payroll fraud 44%
  • Payment fraud (internal and external) 31%
  • Vendor Fraud 25%

Organisations that communicate with vendors or third-party contacts can find themselves the target of financial fraud through compromised emails with trusted third party senders.

These compromised communications are the result of impersonated vendor domains and emails. The vendor fraud attacks that equate to 25% of financial fraud attacks include the following three attack vectors: vendor domain spoofing, vendor account compromise, and vendor impersonation.

Of the total number of financial fraud attacks seen over 2021, the financial industry was the target of 46% of these attacks. Compared to education and healthcare industries, we see the following breakdown for percent of financial fraud attacks targeting all three industries:

  • Financial 46%
  • Education 34%
  • Healthcare 20%

These verticals also face unique email security challenges – they conduct business with large sets of vendors, facilitate email workflows that deal with money, and store large volumes of customer data.

Phishing Attacks

Phishing is another broad category that combines several common types of attacks. Spear phishing refers to targeted attacks aimed at specific individuals, especially executives.Then there are the non-email phishing attacks – “vishing” that focuses on voicemail messages, “smishing” that tracks SMS based attacks, and even “quishing” that tracks the emerging category of QR code based attacks.

The phishing simulation and awareness industry focuses predominantly on training users to identify these kinds of attacks. Users get sent surprise phishing emails as part of a simulated phishing campaign and those unsuspecting users that click on the fake link get sent to take hours of training videos to get better.

Studies show that despite five consecutive training sessions, 1 out of 7 users still click on the bad link. 

As organisations work to protect their employees against common types of phishing scams, cybercriminals seem to stay one step ahead by adapting their tactics.

Phishing attacks (including smishing and vishing) increased 63% year-over-year from 2021 to 2022. These sophisticated attacks mimic common business workflows, targeting and taking advantage of unsuspecting employees through social engineered payloads.

Most Common Business Workflows Used In  Phishing Attacks In 2021

  • 87% related to common business workflows
  • 7% mimic password reset emails
  • 6% notifications & alerts from applications

Criminals target unsuspecting users with emails that include malicious URLs but look like legitimate common workflows. These phishing email attacks pry on the victims’ longing to participate in email workflows that they have commonly seen before without taking a step back to question authenticity.

Rise in Remote Work-Related Threats

As organisations have shifted the way they work in the midst of the pandemic, cyber criminals have followed suit. With more reliance on email communication while working remotely, several new attack surfaces have opened up for cyber criminals to exploit.

  • Socially engineered, targeted attacks have advanced, presenting a higher likelihood of getting past native security layers that still rely on manually configured rules and exception lists.
  • Stopping targeted attacks requires custom models that understand good and bad patterns of communications in each organization using the content and context inside of email communications.

Most Commonly Spoofed Workflows

With the increase of remote work, attackers are dialing into the patterns of communication and common business-related email workflows employees engage in daily due to remote work, in order to craft targeted emails attacks.

Users Forget How Much Routine Daily Work Is Done By Email.

View Document – These are emails that send us notifications asking us to review a document that someone has shared with us.

Email Notifications – These are notifications from the email provider about the status of our mailbox. Examples – Email has been quarantined, mailbox is full.

Application Notifications – Examples are shipment notifications from Amazon, UPS, USPS. Or account alerts from Amex or other providers.

Password Reset – These are notifications from services that we use that ask us to reset or update our passwords.

Voicemail Notifications – These alert us to go listen to a voicemail or that our inbox is full.

We looked at threats detected between April and November 2021 to identify the most commonly spoofed email-based workflows. Here is what we found.

Business Workflow Based Attacks in 2021

Email-based business workflows are at the heart of how organizations operate today. A lot of the context around determining whether an email is legitimate or not does not reside solely in the headers and metadata any more.

To effectively protect against targeted email attacks, the following characteristics are necessary in any effective email security solution:

  • Ability to look at historical data and identify good and bad patterns of communications.
  • Breadth of models to be able to track threats not just based on user identities and behavioral patterns, but also the language in emails to understand the content and the context of the communications.
  • Customisable models that can be trained to detect attacks in a particular organisation, specifically based on communication patterns in that organization, as opposed to a horizontal approach that tries the same sets of rules and exceptions across all customers.

The Armorblox Natural Language Understanding Platform  protects over 58,000 organisations against targeted email attacks and sensitive data loss. For more information, visit

Source: Cyber Security Intelligence