Analyzing 2021’s Biggest Email Threats

It started with a phish; how did it end up like this? Inspired from the lyrics of the song Mr. Brightside by The Killers, we’ve seen first-hand how phishing threats can end up as million-dollar ransom demands, financial fraud, and other damages to organizations. Is there really a “brightside” to all of this?

The past twelve months have brought unique challenges as the global COVID pandemic forced organizations to adopt new business procedures rapidly. While it had always been business-critical, email became even more crucial.

On the other side, threat actors also focused on emails to launch a variety of attacks, most of which begin with phishing. Phishing can be a profitable business model for attackers. What looks like an innocent email from a long-standing vendor or IT department can lead to shutdowns, loss of data, and financial costs in the millions.

While there’s still uncertainty as we approach the post-COVID world, one thing is clear: inboxes aren’t clean. Threats ranging from nuisance spam to difficult-to-discover but costly business email compromise (BEC) continue to target organizations’ inboxes. We analyzed over 31 million threats discovered from May 1, 2020, to April 30, 2021, across various organizations and found several interesting patterns.

Key Findings

    1. Identity is the key. In phishing, the lowest hanging fruit is credential harvesting. Nearly 10% of malicious attacks involve credential harvesters.
    2. BECs are low volume, high return. Business Email Compromise (BEC) makes up a small percentage of attacks (1.3% based on our data) but represents the most severe financial damage. Had the BEC attacks we detected been successful, they would have resulted in more than $354 million in direct losses.

    1. It’s easy to deceive. 9% of attacks use identity deception such as spoofing, domain impersonation or display name impersonation.
    2. Threat actors “borrow” reputation and legitimacy from common brands. Brand impersonation is another favorite attacker tactic, as we detail in our yearly March Hackness blogs. Our research shows that the top 10 most impersonated brands make up over 56% of all impersonation-based phishing attacks.

  1. Self-reporting and security awareness training are not enough. More than 92% of user-reported phish are benign spam or bulk mail. When security teams chase the false positives, it uses up limited resources, leaving the organization open for critical, truly malicious attacks.

As part of the report, we broke down threat types by volume (see below) as well as highlighted six email attacks including credential harvesters, supply chain attacks, BEC, ransomware, brand impersonation and vishing.


We cannot stress enough the importance of stopping threats before they reach users.

To combat ever-evolving email security threats, many organizations turn toward security awareness training and user-reported phish. However, our research suggests that security awareness training is beneficial only from an educational perspective and is ineffective in stopping most threats. Attackers use highly sophisticated impersonation techniques that fool most employees. In the majority of account takeover attacks, the victim does not even know that they have been compromised.

User-submitted phish is often inaccurate. More than 92% of user-submitted “phish” were benign, spam, or bulk mail that created more work for security teams following-up on false positives. So, what can we do?

Here is our overview of recommendations:

  1. Lockdown your identity. Never reuse your passwords, and use multi-factor authentication (MFA).
  2. Establish protocols and procedures against financial fraud. Train users in proper procedures for financial transactions (e.g., using trusted out-of-band communications to verify changes to payment processes), and train them on what to do if they fall for the phish.
  3. Take a Zero Trust approach with all emails. Verify all email communications, and remove implicit trust. Choose a security system that can detect compromises and apply controls around compromised communications.
  4. Don’t believe what you see. Invest in advanced technologies like optical character recognition (OCR) parsing and natural language understanding (NLU) modeling.
  5. Focus on preemption. It’s easier (and less expensive) to prevent an attack than to deal with the aftermath. With a majority of attacks starting with a phishing email, use a preemptive email security solution. We recommend choosing a cloud-based, dynamically scalable solution that stops attacks before they reach your inboxes.

For more research findings, threat sample breakdowns and recommendations, Read the 2021 Email Threat Report.

About Area 1 Security

Area 1 Security is the only company that preemptively stops Business Email Compromise, malware, ransomware and targeted phishing attacks. By focusing on the earliest stages of an attack, Area 1 stops phish — the root cause of 95 percent of breaches — 24 days (on average) before they launch. Area 1 also offers the cybersecurity industry’s first and only performance-based pricing model, Pay-per-Phish.

Area 1 is trusted by Fortune 500 enterprises across financial services, healthcare, critical infrastructure and other industries, to preempt targeted phishing attacks, improve their cybersecurity posture, and change outcomes.

Area 1 is cloud-native, a Certified Microsoft Partner, and Google Cloud Technology Partner of the Year for Security. To learn more, visit, follow us on LinkedIn, or subscribe to the Phish of the Week newsletter.


Juliette Cash

Principal Threat Researcher at Area 1

Juliette Cash is a passionate information security professional with over 15 years experience in technical consulting, computer network operations, and cyber threat analysis and research. She has dedicated her career to tracking and defending against highly sophisticated threats to protect both the public and private sectors, including the United States Intelligence Community and the world’s top Fortune 500 companies. As Area 1’s Principal Threat Researcher, Juliette leads the charge in advanced hunting, technical analysis of intrusion activity, and the development of innovative detection techniques that defend against complex and evolving security threats.

Kevin Wilson Headshot

Kevin Wilson

Senior Product Manager at Area 1

Kevin Wilson is a Sr. Product Manager at Area 1 Security. Throughout his 14 years in Cyber Security, Kevin has been an Analyst and Engineer in various organizations such as the U.S Navy, First Data, and Lowe’s. Previously he served as the Global Information Security Officer at Guess? Inc as well as a Product Manager for McAfee.

How to replace your email gateway with Cloudflare Area 1

Leaders and practitioners responsible for email security are faced with a few truths every day. It’s likely true that their email is cloud-delivered and comes with some built-in protection that does an OK job of stopping spam and commodity malware.

Introducing email link isolation – Email gateway replacement playbook

This week was a big one for us at Cloudflare, one of our four innovation weeks which we hold annually, showcasing new developments, product news and reference architectures.

Superhero strategies for the Phish Fight

Today is National Superhero Day, and we would like to dedicate this day to you—the SOC teams and the security experts on the frontline of the phish fight.