Area 1 Security Research Analyzes 31M Phish, Finding $354M in Potential Losses

The 2021 Email Threat Report highlights key email threats and the high cost of business email compromise.

August 20, 2021

4 Min Read


SAN MATEO, Calif., Aug. 18, 2021 /PRNewswire/ -- Area 1 Security, the first and only preemptive cloud email security provider, published the results of "It Started Out With A Phish," a new study analyzing over 31 million threats across multiple organizations and industries, with new findings and warnings issued by technical experts that every organization should be aware of.

A key aspect to preventing attacks is having a deep understanding of cyber actor patterns and continuously monitoring and deconstructing campaigns to anticipate future ones. Phishing can be a profitable business model, and most breaches begin with a phishing email. What appears to be an innocent email from a trusted vendor or internal department can lead to firm-wide shutdowns, loss of crucial data, and millions in financial costs.

As detailed in the report, threats ranging from Ransomware, Credential Harvesters to difficult-to-discover but costly Business Email Compromise (BEC) targeted inboxes, could have resulted in over $354 million in direct losses had they been successful. Unfortunately, organizations that failed to take the proper protective measures to safeguard their organizations became all too familiar with the unfortunate and costly lessons these innocuous-looking phish presented, as supply chains and critical infrastructure came under attack within the US.

Key findings include:

  • Nearly 9 percent of attacks used identity deception tactics such as spoofing, domain impersonation and display name impersonation. Other top tactics included credential harvesters (9.33 percent), compromised links (8.96 percent) and attachments (3.31 percent);

  • Just 10 brands accounted for over 56% of all spoof- and impersonation-based phishing attacks, with the World Health Organization (WHO), Google and Microsoft positioned as the top three most impersonated;

  • In some cases, these spoofed emails hid BEC attacks, which represented the most significant financial damage despite low volume (1.3% of threats). On average, BEC requests sought $1.5 million—with the median being $260K;

  • Despite organizations' attempts to negate risks through end-user training, more than 92% of user-reported phish were entirely benign spam or bulk mail, flooding IT teams with thousands of false alarms.

While employees meant well with their reports, the real dangers often slipped undetected past outdated defense systems and looked legitimate enough to put even the most heightened guards at ease. For example, more than half a million threats were missed by email authentication (DMARC, SPF, DKIM) and legacy defense systems, which could have caused millions in disruptions and financial loss without interception.

"Cyber campaigns continue to be a tool for waging war against corporations, theft of intellectual property, and massive financial and data loss," said Patrick Sweeney, CEO at Area 1 Security. "Our research found that security awareness training is only beneficial from an educational perspective but not effective in stopping threats. Around 92% of user-reported phish are not malicious and actually benign, spam, or bulk mail, which often delays IT teams from discovering and stopping actual threats. The only solution is a preemptive, cloud-based, email security solution that prevents the phish from even hitting the inboxes."

Area 1 Security's recommendations for effectively defending against cloud email threats include:

  • Locking down identity: Secure accounts and identities by adding additional protection like multi-factor authentication (MFA). Never reuse passwords and always change default passwords.

  • Establish protocols and procedures against financial fraud: Establish and train on procedures to prevent financial loss in the case of BEC and financial fraud, such as requiring multiple approvers or "out-of-band" vendor verifications for transferring funds to new accounts. Also, train them on what to do in case they fall for the phish.

  • Take a zero-trust approach with email: It's imperative to verify all communication that happens within email. Remove implicit trust by assessing the validity of messages beyond the sender to reduce risk from compromised partners. Choose a security system that can detect compromises and apply controls around compromised communications to extend zero-trust to email.

To learn more, download the "It Started Out With A Phish" report here.

About Area 1 Security
Area 1 Security is the only company that preemptively stops Business Email Compromise, malware, ransomware and targeted phishing attacks. By focusing on the earliest stages of an attack, Area 1 stops phish — the root cause of 95 percent of breaches — 24 days (on average) before they launch. Area 1 also offers the cybersecurity industry's first and only performance-based pricing model, Pay-per-Phish.

Area 1 is trusted by Fortune 500 enterprises across financial services, healthcare, critical infrastructure and other industries, to preempt targeted phishing attacks, improve their cybersecurity posture, and change outcomes.

Area 1 is cloud-native, a Certified Microsoft Partner, and Google Cloud Technology Partner of the Year for Security. To learn more, visit, follow us on LinkedIn, or subscribe to the Phish of the Week newsletter for the latest industry news and insights on how to deal with phishing and email-borne threats.

Media Contact:
Christina D. Warner
[email protected]

Marissa Tatro
[email protected]

SOURCE Area 1 Security

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights