Report findings
This article will recap findings from the 2020 fourth quarter edition of the APWG Phishing Activity Trends Report. This report analyzes phishing attacks and identity theft techniques that have been reported to the APWG. Below are the findings of this report, with a Phishing Activity trends summary to head it all off.
Phishing Activity Trends summary
The number of phishing attacks that APWG observed doubled throughout 2020 The cost of business email compromise scams is rising — the average wire transfer amount requested in these attacks increased from $48,000 to $75,000 from quarter three 2020 to quarter four 2020 The category of financial institution, webmail and SaaS site was most frequently victimized in phishing attacks for quarter four of 2020 Phishers are using different deception techniques to fool their targets. Examples include domain names to avoid detection, encryption designed to cause a false sense of security and spoofing trusted companies and business contacts with deceptive email addresses.
Some statistics
Among the data presented in this report are statistical highlights of three items tracked by APWG: unique phishing sites, unique phishing email subjects and the number of brands targeted by phishing campaigns. Presented below is this data for quarter four of 2020. The number of unique phishing websites detected is more accurate than simply counting URLs because one single phishing website could be advertised as literally thousands of URLs. APWG revealed that this number has been increasing since March 2020. Unique phishing email subjects were tracked because multiple phishing campaigns can be using the same subject line but have URLs relating to different phishing campaigns. The number of brands was determined by normalizing the typically misspelled or otherwise “off” spellings of brand names.
Most targeted industry sectors
Below are the most targeted industry sectors by phishing attacks for quarter four of 2020.
SaaS/webmail: 22.2% Financial institutions: 22.5% Payment: 15.2% Social media: 11.8% Other: 10.4% eCommerce/retail: 8.9% Logistics/shipping: 6.4% Telecom: 2.5%
The information from quarter four is interesting for a couple of reasons. Phishing that attacked SaaS/webmail victims dipped substantially from quarter three to quarter four, which equated to a dip from 31.4% to 22.2%. Yet it was still the most targeted industry. Surprisingly, during the 2020 U.S. presidential election cycle, the number of phishing attacks on the social media sector dipped. It should be noted that 2020 showed a shift from conventional phishing to more elaborate scams involving trademark and copyright such as fake marketplaces where victims are tricked into buying goods and end up losing the money they paid as well as possibly compromising their credentials and opening themselves up to more losses.
Business email compromise (BEC)
According to the report, the average amount requested in the course of a BEC attack increased from $48,000 in quarter three 2020 to $75,000 in quarter four, coming from a Russia-based BEC group called Cosmic Lynx as well as a new “pretext” BEC scam. The report also shed light on some other interesting developments regarding BEC. There was an increase in the amount of BEC attacks that requested direct bank transfers going from 14% in quarter three to 22% in quarter four. Payroll diversion requests also increased from quarter three to quarter four, 6% to 13% respectively.
Phishers fooling victims with encryption
Encryption can provide a false sense of security for users and phishers have been taking advantage of this fact. Gone are the days when simply using the HTTPS encryption protocol means that a URL is legitimate. Taking a look at the numbers shows just how popular the use of encryption has become for phishers — presented below is a progressive list of some recent quarters:
Quarter one 2017: 10% Quarter four 2017: 31% Quarter three 2018: 50% Quarter 1 2019: 58% Quarter four 2019: 74% Quarter three 2020: 80% Quarter four 2020: 84%
It should be noted that in quarter four 2020, the number of phishing sites using domain valid (DV) certificates was a whopping 89%. The days of using a DV certificate as a benchmark for website legitimacy are gone. This means users will have to dig deeper into their phishing training and security awareness training to keep up with phishing attacks going forward.
Use of domain names in phishing quarter four of 2020
The report analyzed three types of top-level domains or TLDs — legacy generic TLDs, new generic top-level domains (nTLDs) and country-code top-level domains (ccTLDs). Below are the percentages of these different TLDs used in phishing attacks at the beginning of quarter four of 2020:
Legacy TLDs: 48% nTLDs: 8% ccTLDs: 43%
Towards the end of quarter four of 2020, APWG analyzed a sample set of 2,575 domains. Of the sample set, the percentages were:
Legacy TLDs: 78% nTLDs: 7% ccTLDs: 15%
These numbers show not only that legacy TLDs are king for phishers but that the numbers can swing quite a bit within respective quarters.
APWG’s Phishing Activity Trends points to more phishing
The APWG Phishing Activity Trends Report for quarter four of 2020 is an insightful look into not only where phishing was going on but also provides a troubling look at where phishing is going in the future. If the trend continues, phishing will keep growing at a steady pace and phishers are continually taking advantage of the trust of victims by using indicators that users used to rely upon, such as encryption and DV certificates, to determine if a URL was legitimate. Phishing training will have to work overtime to keep users better informed in the face of the growing problem of phishing.
Sources:
The APWG Phishing Activity Trends Report Q4 2020, APWG WG REPORT: Phishing Attacks Double in 2020 and October Shatters All-Time Monthly Records. Yahoo Finance