A new report has released the latest phishing records and the industries that are being targeted the most. Read on to learn more.
The Anti-Phishing Working Group (APWG) is an international coalition with a membership that includes over 2,200 private sector cybersecurity firms, government agencies, law enforcement, and other organizations. According to its site at APWG.org, the group is committed to “unifying the global response to cybercrime.” Members include Microsoft, PayPal, AT&T, Comcast, Cisco, Symantec, Agari, and many other industry leaders.
APWG continually conducts research and evaluates the threat landscape, issuing periodic reports detailing the findings. In June of 2021, the group reported that the number of phishing sites its members were able to identify reached a record high of 245,771 in January 2021. The average amount lost in Business Email Compromise wire transfers also hit an all-time high.
Stats from the APWG
According to the APWG, the number of active phishing sites fluctuates from month to month. The number dropped from January’s record high of 245,771 to less than 200,000 the following month but rose above the 200,000 marks again in March. The March number was the fourth-highest total since the APWG began its research efforts. As these numbers indicate, the malicious site count remains high despite these fluctuations.
The group’s research revealed that, in the first quarter of 2021, financial institutions remained the most targeted of industries, accounting for nearly 25% of all phishing attacks. The second most targeted industry group was social media. Cybercriminals attempt to hijack social media user accounts, then sell access to the hacked accounts to online buyers.
The APWG’s research in 2020 and the first quarter of 2021 also revealed some statistics regarding the use of Transport Layer Security (TLS) certificates by phishing sites. In 2020, only about 17% of these sites offered HTTPS connections indicating that a TLS certificate had been issued. The APWG found that, during the first quarter of 2021, 94.5% of TLS certificates associated with phishing attacks were of the “Domain Valid” (DV) variety. DV certificates only certify that a domain name is valid. This is the weakest of TLS certificates, meaning that, even though a small percentage of phishing site URLs begin with HTTPS, the DV certificate they’re likely using doesn’t guarantee that the site is secure. It only means that it would be difficult for a hacker to intercept and use the site’s traffic.
Cybercriminals get around email filters by cheaply acquiring new domains from which they can send their phishing emails each time the filters begin recognizing and blocking messages from their previously-used domains. APWG research revealed that Namecheap continues to be the most popular domain name vendor used by perpetrators of phishing attacks. Of the Business Email Compromise (BEC) phishing attacks identified by APWG during the last quarter of 2020, 32% of those attacks used domain names issued by Namecheap. By the end of the first quarter of 2021, that percentage had increased to 46.3%.
The APWG also found that, in the first three months of 2021, the average amount of money lost in BEC wire transfers being misdirected to scammers’ accounts reached a record high of $85,000 per transaction. That represents a 44% increase since the third quarter of 2020.
A trained User Community Is The Last Line of Defense
As is evidenced by the fact that cybercriminals can easily obtain new, valid domain names with TLS certificates to at least temporarily defeat email filters and provide the illusion of secure connectivity to those who visit their sites, training is the best defense against these attacks. Even with the most effective technical controls, some phishing messages will reach their intended recipients and attacks will be successful unless your users know what to look for.
If you do not currently have a comprehensive training program in place that continually incorporates information about new and changing attack vectors, you may wish to consider contracting with a training provider. There are vendors offering training programs that include simulated phishing campaigns. Many training applications can track user progress and generate reports you can use to measure the program’s effectiveness over time. Some offer Active Directory (AD) integration, automating the process of adding and removing new and terminating users from the program.
Your Cyber Strategy Should be the First Line of Defense
Your first line of defense should be your cybersecurity strategy that involves people, products, and technology. We recommend starting with a security risk assessment that includes a gap analysis.
Conclusion
The number of active phishing sites is hovering around record levels. The average amount of money lost per BEC transaction increased by 44% over a nine-month period. Technical controls are never 100% effective, thus your user community is your last line of defense. Effectively training your users to recognize and avoid these scams lowers your organization’s overall level of vulnerability and will likely cost significantly less than it would recover from a successful attack.