New APWG Phishing Statistics Hint at a Focus on Targeted Attacks

The Anti-Phishing Working Group (APWG) recently released its Phishing Activity Trends Report for Q4 2017, which compiles and analyzes data related to reported phishing campaigns (i.e., unique emails sent to multiple users with the same subject line in a given month) and unique phishing websites. Following are key takeaways from the report:

Phishing Reports Were Down for Q4

The APWG identified 233,613 unique phishing reports in Q4 2017, a decrease from 296,208 in Q3. This is a bit of a surprise since the holiday shopping season usually prompts an uptick in reported attacks during the last quarter of the year. But despite the late-year decline, reports were up compared to Q4 2016 (211,032).

Phishing Websites Dropped Sharply Year-Over-Year

The number of unique phishing websites identified by the APWG also fell in Q4 2017 (180,757 vs. 190,942 in Q3), and was down significantly from the 277,693 total in Q4 2016. However, this sharp year-over-year decline could be due, at least in part, to a change in APWG methodology. The report notes that sites are “now determined by the unique base URLs of the phishing sites” and that one unique phishing website “may be advertised as thousands of customized URLs, all leading to basically the same attack destination.”

The Number of Targeted Brands Declined Throughout Q4

Attackers appeared to narrow their focus on the brands they targeted during the holiday shopping season of Q4 2017, with the number of brands included in phishing campaigns dropping from 348 in October to 323 in November and 268 in December. The APWG saw a nearly identical trend in Q4 2016, with targeted brands dropping from 357 to 332 to 264 over the same three-month span.

Attackers Are Going Where the Money Is

The industries receiving the highest volumes of phishing attacks looked very different in Q4 2017 than in Q4 2016:

• The four most targeted sectors in Q4 2017 were Payment Services (42%), SaaS/Webmail (16%), Financial (15%), and Cloud Storage/Hosting (11%).
• The four most targeted sectors in Q4 2016 were Retail/Service (42%), Financial (19%), ISPs (13%), and Payment Services (11%).

Though financial organizations dealt with less volume, it’s important to note that they were still firmly in attackers’ sights late last year. MarkMonitor — an APWG member that provided industry-related data for the report — indicated that of the 454 organizations it identified as being phishing targets in Q4 2017, 60% were financial institutions. In comparison, just 4% of targets were payment providers, and 6% were SaaS/webmail providers.

Malicious Use of HTTPS Is on the Rise

While end users are often taught to look for HTTPS as an indicator of a secure connection, the APWG report cautions that “phishers are fooling internet users by turning an internet security feature against them.” In Q4 2017, more than 30% of phishing sites were hosted on HTTPS infrastructure — a dramatic rise from the end of 2016, when less than 5% of phishing sites used HTTPS content encryption. These statistics reinforce a caution we’ve long noted, that there is a difference between a “secure site” and a “safe site.”

Visit the APWG website to obtain copies of the Q4 2017 and Q4 2016 phishing analysis, as well as other issues of the Phishing Activity Trends Report.