High-risk email security threats increased by 32% last year

Mail on a fishing hook

High-risk email threats climbed by 32% compared to 2019, according to Trend Micro’s 2020 Cloud App Security Report.

The report found that detections of malware, credential theft, and phishing emails all recorded double-digit year-on-year increases in 2020, while business email compromise volumes dropped slightly.

The report gathered data from over 16.7 million high-risk email threats that Trend Micro’s Cloud App Security detected and blocked. The company said this was a 32% increase from the previous year. The report highlighted one example of an organization of 10,000 users where its system detected 755,000 high-risk email threats, which came out to 75 high-risk emails per user after scanning by the native Microsoft 365 security.

Trend Micro also thwarted 10,000 malware files and over 4,300 BEC attempts for the same organization in 2020.

Trend Micro detected over 6.9 million phishing emails in 2020, a 19% increase from the previous year. Outside of credential phishing, the number of threats in this category increased 41% over the period. COVID-19 was a common enticement, as were well-known brands, such as Netflix, that have become increasingly popular during the pandemic. Attackers were typically looking for personal and financial information to monetize, according to the report.

Concerning credential phishing, Trend Micros detected nearly 5.5 million attempts to steal users’ credentials that existing cloud-native security filters allowed through. This was a 14% increase compared to 2019 and accounted for the vast majority of detected phishing emails.

The report said hackers were increasingly complementing these with phone-based vishing attacks, which is when hackers call users via VoIP to trick them into logging into fake phishing sites to harvest their usernames and passwords. The hackers then use these credentials to look for administrator accounts within the network and cause substantial financial problems for the organization.

The FBI warned the public to be wary of such attacks, as the shift to remote work might have made organizations more vulnerable to vishing attacks, according to the report.


The State of Email Security 2020

Email security insights at your email perimeter, inside your organisation, and beyond


One bright spot in the report was the 18% year-on-year decline in business email compromise (BEC) detections. However, average losses continue to rise — increasing 48% from the first to the second quarter of 2020. From $54,000 (the average cost of a fraudulent wire transfer in the first quarter of 2020), the amount has jumped to US$80,183 in the second quarter of the year, the report said.

Bharat Mistry, Technical Director UK at Trend Micro, told ITPro it should come as no surprise that email remains the number one threat vector for all organizations, no matter the size or vertical.

"In 2020 we intercepted over 16 million high-risk emails containing malicious payloads that had been missed by native messaging providers. The problem is growing exponentially yet organizations still struggle to get a handle on it," Mistry said.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.