The latest phishing activity trends report from the Anti-Phishing Working Group (APWG) shows a decline in the number of detected phishing sites after the 3-year high seen in Q3, 2019. Between October 2019 and December 2019, 162,155 phishing sites were detected, down from 266,387 in Q3. In Q4, 2019, the number of phishing site detections was closer to the mean level in 2019. An average of 333 brands were impersonated in phishing attacks each month in Q4, 2019.
Phishing site detections were down, but phishing attacks increased in Q4, 2019, rising 8.33% from 122,359 reported phishing attacks in Q3 to 132,553 attacks in Q4.
Data from APWG member OpSec Security shows SaaS and webmail sites were the most common targets for phishing. SaaS/Webmail accounted for 30.8% of attacks, followed by payment (19.8%) and financial institutions (19.4%). Credentials for webmail sites are stolen and used in business email compromise scams and SaaS are a popular target as credentials can be used to gain access to large quantities of sensitive corporate data. OpSec Security’s figures show phishing attacks against social media targets increased in every quarter in 2019.
APWG member Agari tracks business email compromise scams, which involve the impersonation of a company employee or trusted party to trick employees into sending money. The attacks involve the use of compromised or fake email accounts, with email account compromises occurring as a result of responses to phishing emails. These attacks often make the headlines as they can see millions transferred to the accounts of scammers through fraudulent wire transfers; however, just 22% of attacks saw cybercriminals request direct transfers.
62% of scams saw attackers request payment in the form of gift cards. The amount the attackers get when requesting gift cards is much lower, but these scams have a greater chance of success. Google Play gift cards were most commonly requested, but there was an increase in requests for gift cards for eBay, Target, Best Buy, and Sephora in Q4.
In Q4, the average loss to a gift-card BEC scam was $1,627. The average loss to wire-transfer BEC scams was $55,395. The biggest reported loss in Q4 was $680,456.
PhishLabs tracks phishing sites used in attacks and reports that 94% of all phishing sites are now protected by the HTTPS encryption protocol, up from 68% in Q3, 2019 and 46% in Q4, 2018.