Phishing trends: Who is targeted and why

The business model of phishing has evolved. The bad guys have found ways to multiply their profits at the expense of organizations they aren’t even attacking directly, according to PhishLabs.

Phishing targets by country

phishing trends

Based on attack volume, cloud storage nearly surpassed financial institutions as the most phished industry in 2016. If current trends continue, attacks targeting cloud storage providers will outpace all others in 2017. This is a monumental shift from historic trends that reflects a prominent expansion of how phishers profit. Not only does this shift impact those targeted by phishing attacks directly, it also impacts any organization that relies on email addresses and passwords to authenticate their users.

While the volume of attacks targeting financial institutions continues to grow, the volume of attacks targeting sites with massive user bases, such as cloud storage providers, has exploded. Phishers are targeting these sites in order to mass harvest email address/password pairs.

Phishing attacks by month (2016)

phishing trends

Due to the widespread reliance on email addresses instead of unique usernames and the frequency in which passwords are reused, a high percentage of these stolen credentials provide access to multiple accounts in addition to the account being directly phished; increasing the potential yield of a single attack exponentially. It also means that organizations using email addresses as usernames can reasonably assume that a significant portion of their users’ credentials have been compromised via phishing attacks that are not targeting them directly.

TLDs represented in phishing sites

phishing trends

Phishing trends: Key findings

  • PhishLabs identified phishing sites residing on more than 170,000 unique domains, a 23% increase.
  • Phishing volume grew by an average of more than 33% across the five most-targeted industries.
  • Attacks targeting government tax authorities have grown more than 300% since 2014.
  • There were more IRS phishing attacks in January 2016 than there were in all of 2015.
  • Attacks on Canadian institutions grew 237%, more than any other country.
  • Ransomware attacks, the predominant type of malware being distributed via phishing, are now focusing on organizations that are more likely to pay ransoms, such as healthcare, government, critical infrastructure, education, and small businesses.
  • In a deviation from prior years, phishing volume peaked mid-year due to the influence of major global events, such as Brexit, and a spike in virtual web server compromises.
  • The share of attacks against targets in the United States continues to grow, accounting for more than 81% of all phishing attacks.
  • Although 59% of phishing sites were hosted in the United States, there was a significant increase in the number of phishing sites hosted in Eastern Europe.
  • Although the .COM top-level domain (TLD) was associated with more than half of all phishing sites in 2016, new generic TLDs are becoming a more popular option for phishing because they are low cost and can be used to create convincing phishing domains.
  • Of more than 29,000 phish kits analyzed, more than a third used techniques to evade detection. A phish kit is a collection of files containing the files and graphics needed to easily create a phishing site.

Photo credit courtesy of PhishLabs.