Survey Reveals Upsurge in Phishing and Email Impersonation Attacks

The latest Mimecast State of Email Security report states that during the COVID-19 pandemic, there’s been a surge in email impersonation attacks on companies. In the initial 100 days of 2020, there was an increase of email impersonation attacks by 30%.

Vanson Bourne on behalf of Mimecast conducted a survey on 1,025 IT decision-makers in the UK, U.S., Germany, Australia, Netherlands, South Africa, Saudi Arabia and the United Arab Emirates (UAE) from February to March 2020. The survey was performed while firms were fighting the COVID-19 pandemic. Mimecast analyzed over 1 billion emails processed by the firm’s email security solutions.

60% of survey respondents claimed a rise in email impersonation attacks like business email compromise (BEC) in the last 12 months. Respondents detected an average of 9 email or web spoofing cases last year, though some others were not identified.

DMARC is vital for defending against email impersonation attacks and avoiding brand ruin. Although 97% of respondents knew about DMARC, only 27% of the survey respondents mentioned they implement it.

Ransomware is still a concern among businesses. 51% of survey respondents reported having ransomware affecting their business last year, and the attacks caused 3 days of downtime on average.

58% of surveyed participants noted an increase in phishing attacks in the last year. 72% of participants this year reported having an increase or retaining the same level of phishing attacks compared to 69% of participants in the last 2019 survey.

IT decision-makers doubt that the circumstance will get better. 85% of participants mentioned they think that email and internet-based spoofing attacks will possibly keep on at a similar level or go up in the following 12 months. There is also little confidence with regards to repelling the attacks. 60% said that the situation is either inescapable or an email-related data breach is very likely.

The rather hopeless outlook is influenced by the change in working practices due to the pandemic. Shifting from a predominately office-based labor force to one that’s nearly completely home-based has presented new problems and made it more difficult for IT security teams to keep out attacks.

Even if there is a great risk of encountering an attack, there’s still insufficient cyber resilience readiness, and the value of standard employee security awareness training doesn’t seem to be highly sought. In spite of the threat of phishing and other email-based attacks, as much as 55% of respondents reported that no security awareness training was provided to the employees regularly and 17% mentioned that security awareness training was offered only once a year.

Businesses pay a high cost because of the attacks. 31% of study participants said they suffered data loss and business disruption because of an email attack, and 29% stated having a downtime because of not being prepared.

The report additionally indicates that many businesses lack email security protection.

  • 40% have no system for tracking and safeguarding against email-based attacks or information leakage in internal mail systems
  • 39% don’t have monitoring or protection against email-based malware
  • 42% have no system that instantly eliminates malicious or unwanted email messages from the inboxes of employee

The survey showed that businesses know the value of having a strategy on cyber resilience. In 2019, 75% of survey respondents stated that they have or were preparing a strategy. This year, the percentage is higher at 77%. Looking at the number of survey respondents that have encountered a loss of data, downtime, and a decline in performance because of email attacks, implementation of the strategies cannot be expected soon.