Though the Anti-Phishing Working Group’s (APWG’s) headline statement in its Q4 Phishing Activity Trends Report was about the record-shattering number of reported phishing attacks during 2016, there were also some interesting downward trends noted in the data.
If Volume Is Lower, Risk Is Lower…Right? Not So Fast.
Though it’s nice to think that organizations are seeing a reprieve from the onslaught of Q2, that doesn’t mean that organizational risk is lower. Here’s why:
Attackers Are Getting More Sophisticated About Phishing
Cybercriminals have been learning from their experiences and are general getting less “buckshot” in their approach in favor of focusing their efforts on “surer things.” As the APWG noted in its Q4 report, “Phishers concentrated on fewer targets during the [2016] holiday season, and hit fewer lower-yielding or experimental targets.”
Bottom line: Fewer phishing emails doesn’t necessarily translate into a lower payoff for attackers (or a lower risk for you).
Attackers Are Using Other Methods
Social engineering scams yield results in many arenas, not just email inboxes. We’ve long discussed the need for a security awareness training program to extend beyond the phish, and new insights included in the Q4 report from APWG member company Axur support this. As noted by Fabio Ramos, Axur’s CEO, “Criminals are re-inventing themselves all the time. We’ve seen a decrease in the numbers of regular phishing attacks, and an increase in other methods of fraud, such as malware fake services advertised through social media platforms.”
Case in point: Axur’s analysis of 2,000 fraud occurrences targeting Brazilian companies and individuals in Q4 2016 revealed 952 instances of social media scams and 318 mobile app scams — both of which topped the 304 incidents related to traditional phishing fraud. Ramos advised, “We believe that now, more than ever before, efforts should be aimed at reaching out and monitoring several different channels where the frauds can take place.”
Bottom line: Phishing training is a great start, but it’s not the be all and end all of security awareness training.
Ransomware-Based Phishing Stats Aren’t Tracked by the APWG
Here’s how the APWG defines it’s methodology for logging phishing emails:
APWG tracks and reports the number of unique phishing reports (email campaigns) it receives, in addition to the number of unique phishing sites found. An e-mail campaign is a unique e-mail sent out to multiple users, directing them to a specific phishing web site (multiple campaigns may point to the same web site).
Based on this statement, it seems that the APWG is only logging link-based phishing attacks, not those tied to data entry forms or infected attachments. I did confirm with the organization that ransomware attacks are not included in their statistics. They indicated that, based on their methodology, they consider ransomware to be a malware attack, not a phishing attack; as such, ransomware is not counted in the APWG's reported phishing stats.
Given that ransomware is on the rise and is frequently delivered via phishing emails, the exclusion of these numbers is, in our opinion, a reason for the decline in the APWG's reported number of phishing attacks. As such, this doesn’t mean that phishing, on the whole, is declining. And, as we noted in a recent post, lack of security awareness training spells trouble for endpoint protection, particularly where ransomware is concerned.
Bottom line: Pay less attention to phishing trends, and more attention to end-user risk management.