Try out SecurityIQ – our phishing simulator for free.

phishing_infographic

Security IQ

Phishing by Numbers

The manipulation of human behaviour for criminal intent is nothing new. Age old scams which tricked people into handing over their hard earned cash have been going since humans came down for the trees. The modern equivalent of these old scams is phishing. Phishing is now considered to be the number one most successful technique used by cybercriminals. Variants on the theme of social engineering and trickery, have created a phishing toolset that can be used by cybercriminals to steal login credentials, exfiltrate personal data, and install ransomware. Phishing comes in many forms, from emails containing malicious attachments or with links to spoof websites, to malicious texts, and spoof phone calls. Such a successful method is likely to continue being the weapon of choice of the cybercriminal unless we can put measures in place to prevent it.

Type of Phishing

There are a variety of phishing types. Each has the ultimate goals of either ensuring that malware is installed on the recipient’s device, or that they click on a link that takes them to a spoof website, where either they download malware or enter sensitive data, such as login credentials. The following show the most common types of phishing to date.

Phishing

In March 2016, 93% of phishing emails were being used to infect victims with ransomware (1)

Numbers of organizations reporting they had a phishing attack in 2015 = 85%. Up from 72% in 2014 (2)

Phishing emails containing JavaScript applications and Microsoft Office Macros were the most common methods of infecting users (1).

In a new twist on the old hijacking of email contact lists, a phishing scam based on facebook has emerged this year. Users were sent fake facebook messages informing them a friend had mentioned them in a comment. This message contained  a Trojan which installed a Chrome browser extension. The Chrome extension handled a Facebook account takeover, allowing manipulation of privacy settings and data theft (3).

The IRS has seen a 400% increase in phishing of IRS clients during the 2016 tax season (4)

Source:

  1. PhishMe, Q1 2016 Malware Review: http://phishme.com/project/phishme-q1-2016-malware-review/
  2. Wombat Security, State of the Phish 2016: https://www.wombatsecurity.com/press-releases/new-report-state-of-phishing-attacks
  3. Telegraph, Facebook fake friend phishing attack, July 2016: http://www.telegraph.co.uk/technology/2016/07/06/facebook-fake-friend-phishing-attack-uncovered—heres-how-to-sp/
  4.  IRS: https://www.irs.gov/uac/newsroom/consumers-warned-of-new-surge-in-irs-email-schemes-during-2016-tax-season-tax-industry-also-targeted

Spear Phishing

Spear phishing is a type of phishing email that is specifically targeted towards a known person. Usually it will have their name in the email body and will have enough specific personal information to look very convincing. Spear phishing has been used very successfully in  a number of high profile attacks including the Target Corp breach of 2014. Often this type of phishing will be used to steal login credentials to secure resources such as servers.

67% of organizations reported a spear phishing attack (1)

Size of organization does not guarantee immunity from spear phishing. Organizations of all sizes are being attacked. However, smaller sized businesses (under 250 employees) are seeing a larger increase in spear phishing attempts over the last 3 years. Whereas larger (greater than 2500 employees) businesses have about the same numbers of attacks over the last 3 years.

Spear phishing by company size (2):

Large Medium Small
2013 39 31 35
2014 41 25 22
2015 35 22 43

There was a large spear phishing campaign targeting Amazon customers this year. The emails contained Microsoft Word Macros infected with the Locky encryption ransomware. Up to 30 million customers were targeted. What it made it a spear phishing campaign, rather than a general one was that the attackers could manipulate the header and so make the email appear more genuine (3).

Sources:

Whaling or Business Email Compromise (BEC)

This is a variant of a spear phishing email which is targeted at employees of a corporation, tricking them into thinking the email originates from their CEO or similar C-level executive. This type of phishing requires much more upfront research by the phisher and the resultant email is very convincing.

BEC (Whaling) statistics

In Q4 2015 55% of businesses saw an increase in this type of scam (1)

January 2015  – June 2016:

  • Losses amount to: almost $1.3 billion (actual $3,086,250,090)
  • Number of countries involved: 100
  • Number of U.S. States involved: 50
  • Number of countries that stolen monies go to: 79, but concentrated in Southeast Asia (2)

37% of companies surveyed had been victim of a targeted phishing scam where the email had purported to be from their CEO (3)

This year, SnapChat was victim to a payroll targeted BEC resulting in the personal details and payroll information of an undisclosed number of employees being disclosed. The email looked like it came for the SnapChat CEO, Evan Spiegel (4).

In similar CEO faked phishing attacks, 55 companies in 2015 fell for a W-2 U.S. tax records scam. In this scam, the company’s details were found using sites like LinkedIn. They used emails that looked like they had originated from the CEO to trick company accounts into releasing W-2 tax record data on its employees. This was then used to make false tax claims (5).

Source:

SMiShing

SmiShing is a variant of phishing that uses mobile texts, instead of emails to trick users into releasing details such as login credentials.  An example was a recent WhatsApp based Smishing scam. Users would receive a normal SMS text on their phone alerting them to some a need to pay a fee to keep using WhatsApp. The SmiSh tricked users into clicking on a link which took them to a spook WhatsApp site where they were asked for credit card details.

55% of organizations reported a SMiShing attack (1)

Source:

  • Wombat Security, State of the Phish 2016

Vishing

Vishing involves the use of a phone call to extract personal data from a user which is then used to commit fraudulent acts. There are many vishing scams involving banks and other financial institutions. One of the largest to date is the IRS vishing scam (1). In March 2016 there was a 10X increase in the  numbers of vishing attempts with around 450,000 victims (2).

Sources:

Number of phishing attacks across global market (1)

Date Numbers % Increase over previous quarter
Q2 2015 126,797
Q3 2015 130,946 3.3
Q4 2015 144,694 10.5
Q1 2016 240,520 66.2
Q1 2016 516,702 114.8


Source
:

Alternative Numbers from Anti-Phishing Working Group (APWG)

Unique Phishing Websites for 6 months to April 2016

Date Numbers % Increase over previous quarter
Oct 15 48,114
Nov 15 44,575 -7.3
Dec 15 65,885 47.8
Jan 16 86,557 31.4
Feb 16 79,259 -8.4
Mar 16 123,555 55.9


Source
: APWG, Phishing Activity Trends Reports from Q4 2015 and Q1 2016:

http://docs.apwg.org/reports/apwg_trends_report_q4_2015.pdf

http://docs.apwg.org/reports/apwg_trends_report_q1_2016.pdf

Number of unique reported email campaigns

Date Numbers % Increase over previous quarter
Oct 15 194,499
Nov 15 105,233 -45.9
Dec 15 80,548 -23.5
Jan 16 99,384 23.4
Feb 16 229,315 130.7
Mar 16 229,265 0


Source
: APWG, Phishing Activity Trends Reports from Q4 2015 and Q1 2016:

http://docs.apwg.org/reports/apwg_trends_report_q4_2015.pdf
http://docs.apwg.org/reports/apwg_trends_report_q1_2016.pdf

Click rate

2014 – 23% opened a phishing email; 11% clicked on malicious link or opened attachment (i.e. completed the phish) (1)

2015 – 30% opened a phishing email; 13% clicked on malicious link or opened attachment (i.e. completed the phish) (1)

Only 3% alerted management to the possibility of  a phishing email (1)

Click rate per industry – top five (2):

  1. Telecommunications: 24%
  2. Professional Services: 23%
  3. Government: 17%
  4. Insurance: 16%
  5. Retail: 14%

Source:

Top Ten Country Sources of Phishing Emails – Q1 2016

  1. USA: 12.43%
  2. Vietnam: 10.30%
  3. India: 6.19%
  4. Brazil: 5.48%
  5. China: 5.09%
  6. France: 4.90%
  7. Russia: 4.89%
  8. Mexico: 4.57%
  9. Germany: 2.91%
  10. Argentina: 2.60%

Top Ten Country by Users Attacked

  1. Brazil: 21.5%
  2. China 16.7%
  3. Great Britain: 14.6%
  4. Japan: 13.8%
  5. India: 13.1%
  6. Australia: 12.9%
  7. Bangladesh: 12.4%
  8. Canada: 12.4%
  9. Ecuador: 12.2%
  10. Ireland: 12%