The 'Nigerian Prince scam' has been an Internet punchline for years. Turns out the scam is alive and well, albeit with a different twist.
The original grifters lured victims by posing as a down-on-his-luck prince who needed access to your bank account to safely transfer his riches. Nowadays, the same groups of cybercriminals, largely based in West Africa, have set their sights on large organizations using the same tactics: Emails that rely on meticulous social engineering, rather than malware, to get employees to fork over company cash.
This form of attack is one of the the hardest cybersecurity problems to stamp out, according to Patrick Peterson, CEO of Agari. Agari is one of numerous cloud-based cybersecurity vendors specializing in one niche in the market -- sophisticated email scams, in Agari's case.
"It's the same criminals, with the same MOs," said Peterson. "Nowadays, the awareness of mainstream scams has increased, and that's why the scammers are diversifying their attacks. It's a classic capitalist business cycle of innovation."
For now, the criminals are out-innovating the rest of us -- and even the world's biggest tech firms aren't immune. Earlier this year, for example, a Lithuanian man was convicted for bilking Facebook (FB - Get Report) and Alphabet (GOOGL - Get Report) out of more than $123 million by sending fake invoices to finance staffers who were cleared to pay vendors.
Employee-reported phishing attacks jumped 14% last quarter, with scammers making off with ever-larger sums according to Agari. Other security incidents, such as ransomware attacks, data breaches, or exploits like the one affecting Capital One customers last week, are also increasing in severity. The problem is getting worse -- and that's despite an explosion in demand for security services, as well as a sharp increase the number of vendors overall. There are more than 3,000 cybersecurity vendors today, according to the security advisory Momentum Cyber.
There are a couple of reasons for that, explained Cornelio Ash, analyst with the investment advisory William O'Neil + Company. One is that, as software in general shifts to the cloud, a sprawling new generation of cloud-native cybersecurity firms has emerged.
"There's a secular shift to cloud-based security protection, as opposed to on-premise," said Ash. "That's why you're seeing so many newer companies -- because they're not pivoting, they're starting from the cloud."
The current glut of cybersecurity services has arguably made life harder, not easier, for CTOs or security officers tasked with vetting and implementing them. And it certainly has done little to stamp out disastrous attacks and breaches, which cost billions in damage per year.
"Comparing the number of cybersecurity vendors to the number of attacks is like comparing the number of diets to the obesity rate," added Chris Hoose, president of IT consulting firm Choose Networks.
This paradox also underscores huge opportunities, and risks, for tech investors. Cybersecurity stocks have outpaced the market this year on the whole -- the cybersecurity ETF (CIBR - Get Report) , for example, is up 28% so far. At the same time, two of the biggest fish in the market -- Symantec (SYMC - Get Report) and CheckPoint (CHKP - Get Report) -- have notably underperformed, gaining just 12% and 7% respectively.
"The two largest security providers from a revenue standpoint are losing market share," added Ash. "Now, opportunities are being taken by a number of smaller companies; it remains to be seen if there will be a dominant player in the long term, but in the short term, they're doing very, very well."
Ash noted several cloud security firms that have shown strong momentum in recent quarters: the identity and access management firm Okta (OKTA - Get Report) (+109% this year), Zscaler (ZS - Get Report) (+109%), and Crowdstrike (CRWD) (+51% since its June 12 IPO), among others. If there's one shortcut to reading the tea leaves on cloud security stocks, it's looking at billings growth -- as is the case, more generally, with cloud software firms.
"If that's number is trending higher, you can expect forward revenue to follow suit," Ash added.
One potential pitfall for cybersecurity investors, though, is that in a hot and rapidly evolving market, things can change at the drop of a hat and that the rate of M&A is likely to remain very high. There were a record 183 cybersecurity M&A deals in 2018, and that type of activity isn't expected to slow down anytime soon. Even Symantec, an entrenched incumbent in the space, was itself an acquisition target by Broadcom (AVGO - Get Report) recently, though the deal ultimately fell through.
For Ash, that came as a surprising sign of the times.
"Nothing is off the table," he said.