The 2019 Phishing Trends and Intelligence Report from PhishLabs shows there was a 40.9% increase in phishing attacks in 2018. Attacks increased steadily during Q1 and continued at a high level in Q2 and Q3, with a decline in attacks in Q4.
The analysis of attacks shows the tactics used by cybercriminals are constantly changing. New types of attacks were detected in 2018 which exploited changes in the digital landscape. Targets also shifted in 2018. In 2017, email and online services was the most targeted sector, but in 2018 financial institutions took top spot with 28.9% of attacks. Email/online services accounted for almost a quarter of attacks (24.1%), followed by cloud and file storage (12.6%), payment services (11.1%) and Software-as-a-Service (7.2%).
The United States accounted for 84% of all phishing attacks, followed by Canada with 4% of attacks, and China and France, each with 2%. There was a 1% decrease in attacks on companies in the United States, although there was no decrease in the volume of attacks since more attacks were conducted in 2018.
Phishing volume grew by 905% in Turkey, 170% in Canada, 93% in New Zealand and Mexico, and 43% in the United States.
Phishing attacks are conducted by a diverse range of cybercriminals. Individuals new to cybercrime tend to conduct attacks to obtain credentials and to distribute ransomware, whereas organized gangs concentrate on financial fraud and look for large paydays. Millions of dollars are stolen by organized gangs who use phishing to gain access to bank accounts and convince company employees to make fraudulent wire transfers.
83.9% of phishing attacks sought credentials for financial accounts, cloud accounts, payment and SaaS services. Phishing emails are also used to spread malware and ransomware, although 98% of all phishing emails that were delivered to inboxes did not contain any malware. That suggests that anti-phishing solutions are good at detecting malware but not nearly so good at detecting email scams and phishing messages that attempt to obtain credentials.
Usage of free SSL certificates grew by 50% in 2018. The certificates make emails appear to have been sent from a trusted source. The use of free website infrastructure also grew substantially in 2018 – up 200% from 2017. The use of free services, such as free subdomains on websites, make it much cheaper for cybercriminals to conduct attacks as they do not need to pay for hosting nor buy domains. There was also an increase in the use of phishing kits, which makes it much easier to start phishing campaigns, even if individuals have little knowledge of how to conduct attacks.
Data from simulated phishing emails sent through the PhishLabs phishing simulation platform show that emails related to HR and pay-related matters are the most effective and attracted the most clicks – on average the failure rate was 31% for these types of emails. E-commerce emails had a failure rate of 27%, followed by seasonal emails with a failure rate of 18%.
PhishLabs warned that defending against email-based attacks is no longer sufficient. Anti-phishing protections must also cover websites, SMS messages, mobile apps, social media sites and other digital channels.