Phishing Attacks are on the Rise in 2018

Each quarter, the Anti-Phishing Working Group (APWG) prepares a report to keep all sectors aware of current cybercrime threats. The APWG recently released Phishing Activity Trends Report for Q1 2018 on July 31st, 2018. Phishing Activity Trends Report contains detailed data compiled from reported Phishing Campaigns. Phishing Campaigns are emails sent to multiple users with a familiar subject line to get the user to trust the email to open the email and a phishing website that uses safe and ethical phishing practices.

Following are key findings from the APWG Report:

  • Phishing Attacks are Escalating:

The number of unique phishing attacks reported to APWG during Q1 2018 was 263,538. Phishing attacks are up 46% from the 180,577 observed in Q4 2017. It was also significantly more than the 190,942 seen in Q3 2017. The number of unique phishing attacks reported to APWG during Q1 2018 was 262,704 compared to 233,613 in Q4 2017 and 296,208 in Q3 2017.


Image Source: APWG_trends_report_q1_2018.pdf

  • Attackers are Going Where the Money is:

The online payment sector was targeted by phishing attacks more than any other industry sector, accounting for 39.4% of all phishing attacks; Followed by:

  • SAAS/webmail (18.7%)
  • Financial institution (14.2%)
  • Cloud Storage/File Hosting (11.3%)
  • Other sectors (16.4%)

Compared to Q4 2016 where Retail/Service was the most targeted sector with 41.85% of phishing attacks.

  • Use of Domain Names for Phishing:

RiskIQ analyzed what domain names were used by phishers and found that the domain names used generally matched the market shares among top-level domains and registrations. “Because cybercriminals focus on the cost-benefit analysis of their activities, they like to register their domains with the cheapest, most common registrars,” said Yonathan Klijnsma, Head Researcher at RiskIQ.

Image Source: APWG_trends_report_q1_2018.pdf

  • Malicious Use of HTTPs is on the Rise:

While end users are often taught to look for HTTPS as an indicator of a secure connection, the APWG report caution that “phishers are fooling internet users by turning an internet security feature against them.”  At the end of 2016, less than 5% of phishing sites were found on HTTPS infrastructure. By the second quarter of 2018, however, more than a third of phishing attacks were hosted on websites that had HTTPS and SSL certificates.

There are primary reasons why phishers are increasingly hosting their malicious content this way:

Reason #1:

More HTTPS websites = More HTTPS phishing websites.

As more websites obtain SSL certificates, the number of potential HTTPS websites available for compromise increases. According to Let’s Encrypt, two-thirds of website loaded by Firefox at the end of 2017 used HTTPS, compared to 45 percent at the end of 2016.

Reason #2:

Phishers are taking advantage of unclear security messaging.

A significant number of HTTPS phishing websites are hosted on domains that are registered by the phishers themselves.

According to the APWG Q1 2018 Report, there has been a notable rise in the number of phishing attacks. It’s a widespread problem, posing a considerable risk to individuals and organizations. Everyone should be aware as these types of attacks are not going to go away anytime soon.

Below are some simple practices to protect yourself from Phishing:

  1. Does the email look suspicious? Check the sender and content in your preview screen carefully.

Plenty of phishing emails are relatively apparent. They will be written with plenty of typos, words in capitals and improper punctuation marks. They may also have impersonal greetings and sometimes surprising content.

  1. Double check the links in the email before you click on them:

One should never click on links in an email unless you are sure that it is authentic. If you have any doubts, you should open a new browser window and go to the actual site directly instead of clicking on the link.

  1. Never share your personal information.

Do not respond to any email that asks for your personal information, even if it’s from a trusted source, for example, a financial institute or state or federal government agency, as they do not ask for your personal information via emails or phone calls.

  1. Test Your Employees’ Phishing Awareness.

Using the PhishPro Campaign, you can test your organization within a safe environment, to see how well they can detect phishing emails.

Read more about PhishPro Campaign on our “It’s Time To Test Your Employees’ Phishing Awareness” blog or contact us at sales@phishpro.com. Also, be sure to visit our website at www.phishpro.com.

 

Reference Links:

http://docs.apwg.org/reports/apwg_trends_report_q1_2018.pdf

https://www.helpnetsecurity.com/2018/08/03/phishing-activity-trends-report/

https://www.businesswire.com/news/home/20180801006022/en/APWG-Report-Cybercrime-Gangs-Ramp-Phishing-Attacks