Phishing Attacks at Highest Level Since 2016
According to the Q3, 2019 Phishing Activity Trends Report from the Anti-Phishing Working Group, phishing attacks are now occurring at a rate not seen since 2016.
266,387 unique phishing sites were detected in Q3, 2019, an increase of 46% from Q2, 2019. Almost twice the number of phishing sites were detected in Q3, 2019 than in the last quarter of 2018.
APWG received data on 277,693 unique phishing campaigns from its members. That is the highest number of detected phishing campaigns since Q4, 2016. APWG also collates information from phishing attacks reported by consumers and the general public. 122,359 unique reports were received from the public in Q3, 2019, up 9.09% from Q2.
The phishing campaigns detected in Q3, 2019 impersonated more than 400 different companies, up from 313 in Q2, 2019. The types of company most commonly impersonated in the attacks are webmail and software-as-a-service providers. The main aim of the attacks on these firms is to obtain credentials that can be used to gain access to corporate email and SaaS accounts. The targets of attacks are largely unchanged from previous quarters.
Many attacks are focused on obtaining Office 365 credentials. Stolen Office 365 credentials are extremely valuable to Business Email Compromise (BEC) scammers. Once access is gained to a corporate email account, it is used to send further phishing emails to other individuals in the breached organization. The aim of many attacks is to gain access to the CEO’s email account or the account of another executive. Those accounts are then used to send emails to individuals with access to corporate bank accounts to request wire transfers and payroll changes.
While CEO fraud is still common, there has been a shift in tactics and vendors and suppliers are now being targeted much more often. The potential returns from a CEO fraud scam are higher, but attacks on vendors and suppliers can be more lucrative. One vendor or supplier account compromise allows the attacker to target all of their customers.
The attackers often spend a considerable amount of time gathering information on potential targets before the BEC attacks commence. During the research phase, rules are often set up to forward all emails sent to and from the compromised email accounts to the attackers. The attackers learn about potential targets, typical invoice amounts, and normal payment dates to maximize the chance of success. Following an email account compromise, it can be several weeks or months before the account is used for BEC attacks
Another growing trend is a shift from wire transfer requests to gift card scams. Wire transfer requests in Q3, 2019 ranged from $2,530 to $850,790. The average payment was $52,325 and the median payment was $24,958. The average gift card scam was for $1,571, with scams requesting between $200 and $8,000.
The returns from gift card scams may be lower, but it is much easier for the scammers to cash out and they offer greater anonymity. Fraudulent bank transfers are often questioned, payments can be reversed, and money mules are required. In Q3, 2019, 56% of all BEC attacks involved gift cards, 25% involved payroll diversion, and 19% involved direct bank transfers.
In Q3, SaaS and webmail accounted for 33% of attacks, followed by the payment industry (e.g PayPal) with 21% of attacks, and financial institutions (19%). Attacks on cloud storage and file hosting sites were far less popular.
An increasing number of companies have switched from HTTP to HTTPS and consumers are now much more likely to check that a website starts with HTTPS before disclosing any sensitive information such as login credentials. Cybercriminals have had to follow suit. In Q3, 68% of phishing sites were hosted on HTTPS, up from 54% in Q2, 2019.