The Anti-Phishing Working Group’s Phishing Activity Trends Report for Q3, 2019 stated that the rate of phishing attacks now is at a rate that is the highest since 2016. In Q3 of 2019, there were 266,387 unique phishing websites detected, which showed a 46% increase from Q2 of 2019.
APWG obtained data on 277,693 unique phishing activities from its users. That’s the biggest number of recognized phishing campaigns starting in Q4 of 2016. APWG likewise collates data from phishing attacks that the public and consumers reported. The public gave 122,359 unique reports in Q3 of 2019, higher by 9.09% from Q2.
The phishing campaigns seen in Q3 of 2019 impersonated over 400 businesses, which increased from 313 in Q2 of 2019. The types of businesses mostly impersonated in the phishing attacks are providers of webmail and software support. The principal purpose of the attacks on the companies is to get qualifications that could be employed to log into corporate email and SaaS accounts. The focus of attacks is mostly the same from past quarters.
A lot of attacks particularly by Business Email Compromise (BEC) scammers are centered on getting Office 365 credentials. Once access is acquired to a corporate email account, the scammer uses it to send more phishing emails to other people in the breached company. The purpose of numerous attacks is to access the email account of the CEO or another executive. The scammer then uses the accounts to send out emails to people who could access corporate bank accounts to change wire transfers and payroll.
The attackers usually use a substantial amount of time collecting data on prospective targets prior to the BEC attacks. While in the research stage, rules are generally created to forward to the attackers all sent and received email messages in the compromised email accounts. The attackers discover potential targets, normal invoice amounts, and usual payment dates to increase the possibility of success. After an email account compromise, the attacker will wait for a number of weeks or months prior to using the account for BEC attacks
Another developing trend is the gift card scams instead of wire transfer requests. The amounts of wire transfer requests in Q3 of 2019 were from $2,530 to $850,790 with an average payment of $52,325 and a median payment of $24,958. $1,571 is the average gift card scam with requests from $200 to $8,000.
The profits from gift card scams are lower, however, scammers find it incredibly easier to cash out and there is increased anonymity. Most often, fraudulent bank transfers are questions, payments are reversible, and money mules are necessary. In all cases of BEC attacks Q3 of 2019, those involving gift cards was 56%, 25% payroll diversion, and 19% direct bank transfers.
The following statistics show the areas of attacks observed in Q3:
- 33% on SaaS and webmail
- 21% on the payment industry (e.g PayPal)
- 19% on financial institutions (19%)
- Less popular are the attacks on cloud storage and file hosting websites
A growing number of organizations have turned HTTP to HTTPS. People today are far more likely to visit a website with HTTPS not to mention disclose sensitive data like login credentials. So, cybercriminals needed to follow suit and hosted phishing sites (68% in Q3) on HTTPS, which was only 54% in Q2 of 2019.