Phishing attacks doubled last year, according to Anti-Phishing Working Group
Historians will look back at the year 2020 as being not only the year that COVID-19 impacted life significantly, but also the year that phishing attacks doubled over the previous year. This is due to many factors, such as a large chunk of organizational employees working from home (many for the first time). The Anti-Phishing Working Group (APWG) has released a report highlighting the many facets of how phishing has impacted the world, including the fact that phishing attacks have doubled in 2020.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
Report findings
This article will recap findings from the 2020 fourth quarter edition of the APWG Phishing Activity Trends Report. This report analyzes phishing attacks and identity theft techniques that have been reported to the APWG. Below are the findings of this report, with a Phishing Activity trends summary to head it all off.
Phishing Activity Trends summary
- The number of phishing attacks that APWG observed doubled throughout 2020
- The cost of business email compromise scams is rising — the average wire transfer amount requested in these attacks increased from $48,000 to $75,000 from quarter three 2020 to quarter four 2020
- The category of financial institution, webmail and SaaS site was most frequently victimized in phishing attacks for quarter four of 2020
- Phishers are using different deception techniques to fool their targets. Examples include domain names to avoid detection, encryption designed to cause a false sense of security and spoofing trusted companies and business contacts with deceptive email addresses.
Some statistics
Among the data presented in this report are statistical highlights of three items tracked by APWG: unique phishing sites, unique phishing email subjects and the number of brands targeted by phishing campaigns. Presented below is this data for quarter four of 2020.
The number of unique phishing websites detected is more accurate than simply counting URLs because one single phishing website could be advertised as literally thousands of URLs. APWG revealed that this number has been increasing since March 2020. Unique phishing email subjects were tracked because multiple phishing campaigns can be using the same subject line but have URLs relating to different phishing campaigns. The number of brands was determined by normalizing the typically misspelled or otherwise “off” spellings of brand names.
Most targeted industry sectors
Below are the most targeted industry sectors by phishing attacks for quarter four of 2020.
- SaaS/webmail: 22.2%
- Financial institutions: 22.5%
- Payment: 15.2%
- Social media: 11.8%
- Other: 10.4%
- eCommerce/retail: 8.9%
- Logistics/shipping: 6.4%
- Telecom: 2.5%
The information from quarter four is interesting for a couple of reasons. Phishing that attacked SaaS/webmail victims dipped substantially from quarter three to quarter four, which equated to a dip from 31.4% to 22.2%. Yet it was still the most targeted industry. Surprisingly, during the 2020 U.S. presidential election cycle, the number of phishing attacks on the social media sector dipped. It should be noted that 2020 showed a shift from conventional phishing to more elaborate scams involving trademark and copyright such as fake marketplaces where victims are tricked into buying goods and end up losing the money they paid as well as possibly compromising their credentials and opening themselves up to more losses.
Business email compromise (BEC)
According to the report, the average amount requested in the course of a BEC attack increased from $48,000 in quarter three 2020 to $75,000 in quarter four, coming from a Russia-based BEC group called Cosmic Lynx as well as a new “pretext” BEC scam. The report also shed light on some other interesting developments regarding BEC. There was an increase in the amount of BEC attacks that requested direct bank transfers going from 14% in quarter three to 22% in quarter four. Payroll diversion requests also increased from quarter three to quarter four, 6% to 13% respectively.
Phishers fooling victims with encryption
Encryption can provide a false sense of security for users and phishers have been taking advantage of this fact. Gone are the days when simply using the HTTPS encryption protocol means that a URL is legitimate. Taking a look at the numbers shows just how popular the use of encryption has become for phishers — presented below is a progressive list of some recent quarters:
- Quarter one 2017: 10%
- Quarter four 2017: 31%
- Quarter three 2018: 50%
- Quarter 1 2019: 58%
- Quarter four 2019: 74%
- Quarter three 2020: 80%
- Quarter four 2020: 84%
It should be noted that in quarter four 2020, the number of phishing sites using domain valid (DV) certificates was a whopping 89%. The days of using a DV certificate as a benchmark for website legitimacy are gone. This means users will have to dig deeper into their phishing training and security awareness training to keep up with phishing attacks going forward.
Use of domain names in phishing quarter four of 2020
The report analyzed three types of top-level domains or TLDs — legacy generic TLDs, new generic top-level domains (nTLDs) and country-code top-level domains (ccTLDs). Below are the percentages of these different TLDs used in phishing attacks at the beginning of quarter four of 2020:
- Legacy TLDs: 48%
- nTLDs: 8%
- ccTLDs: 43%
Towards the end of quarter four of 2020, APWG analyzed a sample set of 2,575 domains. Of the sample set, the percentages were:
- Legacy TLDs: 78%
- nTLDs: 7%
- ccTLDs: 15%
These numbers show not only that legacy TLDs are king for phishers but that the numbers can swing quite a bit within respective quarters.
See Infosec IQ in action
APWG’s Phishing Activity Trends points to more phishing
The APWG Phishing Activity Trends Report for quarter four of 2020 is an insightful look into not only where phishing was going on but also provides a troubling look at where phishing is going in the future. If the trend continues, phishing will keep growing at a steady pace and phishers are continually taking advantage of the trust of victims by using indicators that users used to rely upon, such as encryption and DV certificates, to determine if a URL was legitimate. Phishing training will have to work overtime to keep users better informed in the face of the growing problem of phishing.
Sources:
The APWG Phishing Activity Trends Report Q4 2020, APWG
WG REPORT: Phishing Attacks Double in 2020 and October Shatters All-Time Monthly Records. Yahoo Finance
In this Series
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Phishing-as-a-Service
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
