Phishing attacks continued to rise into the summer of 2019 with cybercrime gangs’ focus on branded webmail and SaaS providers remaining very keen, according to the APWG report.
The report also documents how criminals are increasingly perpetrating business email compromise (BEC) attacks by using gift card cash-out schemes.
The number of phishing attacks observed in the second quarter of 2019 eclipsed the number seen in the three quarters before. The total number of phishing sites detected in April through June 2019 was 182,465. This topped the 180,768 seen in 1Q2019, and was up notably from the 138,328 seen in the fourth quarter of 2018.
SaaS and branded Webmail providers were counted as the most targeted sector with 36 percent of all phishing attacks recorded targeting its constituents’ brands, according to APWG member MarkMonitor.
The report also demonstrates why employees should beware of requests for gift cards and payroll account change requests at the workplace.
APWG member Agari tracked BEC attacks across the quarter, watching gangs use targeted spear phishing to trick victims into sending funds or sensitive information to the criminal, often impersonating a trusted colleague or supervisor directing the employee to send out a gift card for a favored customer or an employee.
Gift cards were requested in 65 percent of BEC attacks during the second quarter of 2019. About 20 percent of attacks requested payroll diversions, and 15 percent requested direct bank transfers.
“Nearly two-thirds of all BEC attacks observed by the Agari Cyber Intelligence Division requested that the target purchase gift cards and send them to the attacker,” said Crane Hassold, Agari’s Senior Director of Threat Research.
“Because they are more anonymous, less reversible, and do not require the use of a mule intermediary, gift cards have quickly emerged as the most popular cash out option for scammers over the past year.”
Hassold also noted that the bogus bank transfer requests represented a large threat – the average request was for a whopping $64,717. One attempt that Agari documented was a request for $950,000.
BEC attacks may be driving other kinds of phishing attacks. SaaS and webmail sites remained the biggest targets of phishing. Phishers harvest credentials to those kinds of sites to then perpetrate effective BEC attacks and to penetrate corporate accounts.