CAMBRIDGE, Mass.--(EON: Enhanced Online News)--The Anti-Phishing Working Group (APWG) observed that 2016 ended as the worst year for phishing in history. According to the APWG’s new Phishing Activity Trends Report, the total number of phishing attacks in 2016 was 1,220,523. This number represents the highest ever recorded, and fully a 65 percent increase over 2015.
“Phishing is an attack that relies primarily on fooling people, rather than highly sophisticated technical implementations”
The end of 2016 was also an opportunity to reflect how phishing has grown over the years. In the fourth quarter of 2004, the APWG saw 1,609 phishing attacks per month. In the fourth quarter of 2016, the APWG saw an average of 92,564 phishing attacks per month — an increase of 5,753 percent over 12 years. The growth in phishing attacks over the past ten years has generally increased each year, indicating a consistent trend. Forthcoming APWG reports will provide additional dimensions of data for more analysis.
“Phishing is an attack that relies primarily on fooling people, rather than highly sophisticated technical implementations,” said APWG Senior Research Fellow and iThreat VP Greg Aaron. “For that reason, phishing remains both popular and effective. Also, the APWG’s numbers for 2106 just measure broad-based attacks against consumer brands. The numbers don’t attempt to catalog spear-phishing, which is highly targeted phishing that targets only a few specific people within a company. Truly, phishing is more pervasive and harmful than at any point in the past.”
The new report also brings new insights from APWG’s contributing members across the globe, a feature that will continue to appear in Phishing Activity Trends Reports going forward.
Axur, a Brazilian company that concentrates on protecting companies and their users in Brazil, found that fraudsters in Brazil are using both traditional phishing and social media to defraud Internet users. They are also using technical tricks to make it harder for responders to stop theses scams and filter them before they reach end users. “Criminals are re-inventing themselves all the time,” said Fabio Ramos, CEO of Axur. “We’ve seen a decrease in the numbers of regular phishing attacks - and an increase in other methods of fraud, such as malware fake services advertised through social media platforms.”
APWG member RiskIQ examined how phishing victims are fooled by phishers – not by the address in the browser bar, but by hyperlinks (which must be hovered over to even see the destination domain), URL shorteners, which mask the destination domain, or brand names inserted elsewhere in the URL.
“A relatively low percentage of phishing websites targeting a brand attempt to spoof that brand in the domain name—whether at the second-level or in the fully-qualified domain name,” says Jonathan Matkowsky, VP for intellectual property & brand security at RiskIQ. This is evidence that phishers do not need to use deceptive domains names to fool Internet users into visiting their sites.
The full text of the report is available here: http://docs.apwg.org/reports/apwg_trends_report_q4_2016.pdf
About the APWG
The APWG, founded in 2003 as the Anti-Phishing Working Group, is the global industry, law enforcement, and government coalition focused on unifying the global response to electronic crime. Membership is open to qualified financial institutions, online retailers, ISPs and Telcos, the law enforcement community, solutions providers, multi-lateral treaty organizations, research centers, trade associations and government agencies. There are more than 1,800 companies, government agencies and NGOs participating in the APWG worldwide. The APWG's <www.apwg.org> and <education.apwg.org> websites offer the public, industry and government agencies practical information about phishing and electronically mediated fraud as well as pointers to pragmatic technical solutions that provide immediate protection. The APWG is co-founder and co-manager of the Stop. Think. Connect. Messaging Convention, the global online safety public awareness collaborative <https://education.apwg.org/safety-messaging-convention/> and founder/curator of the eCrime Researchers Summit, the world’s only peer-reviewed conference dedicated specifically to electronic crime studies <www.ecrimeresearch.org>. APWG advises hemispheric and global trade groups and multilateral treaty organizations such as the European Commission, the G8 High Technology Crime Subgroup, Council of Europe's Convention on Cybercrime, United Nations Office of Drugs and Crime, Organization for Security and Cooperation in Europe, Europol EC3 and the Organization of American States. APWG is a member of the steering group of the Commonwealth Cybercrime Initiative at the Commonwealth of Nations. Among APWG's corporate sponsors are: AhnLab, AT&T (T), Afilias Ltd., Avast!, AVG Technologies, BBN Technologies, Barracuda Networks, BillMeLater, Bkav, Booz Allen Hamilton, Blue Coat, BrandMail, BrandProtect, Bsecure Technologies, CSC Digital Brand Services, Check Point Software Technologies, Comcast, CSIRTBANELCO, Cyber Defender, Cyveillance, DigiCert, Domain Tools, Donuts.co, Easy Solutions, eBay/PayPal (EBAY), eCert, EC Cert, ESET, EST Soft, Facebook, Forcepoint, Fortinet, FraudWatch International, F-Secure, GlobalSign, GoDaddy, Google, GroupIB, Hauri, Hitachi Systems, Ltd., Huawei Symantec, ICANN, Iconix, Infoblox (BLOX), IronPort, ING Bank, Intuit, Internet.bs, IT Matrix, iThreat Cyber Group, Kindsight, LaCaixa, Lenos Software, MailChannels, MailChimp, MailShell, Malcovery, MarkMonitor, M86Security, McAfee (MFE), Melbourne IT, MessageLevel, Microsoft (MSFT), MicroWorld, Mimecast, Mirapoint, NHN, MyPW, nProtect Online Security, Netcraft, Network Solutions, NeuStar, Nominet, Nominum, Public Interest Registry, Panda Software, Phishlabs, Phishme.com, Phorm, Planty.net, Prevx, Proofpoint, QinetiQ, Return Path, RSA Security (EMC), RuleSpace, SalesForce, SecureBrain, S21sec, SIDN, SiteLock, SoftForum, SoftLayer, SoftSecurity, SOPHOS, SunTrust, SurfControl, Symantec (SYMC), Tagged, TDS Telecom, Telefonica (TEF), TransCreditBank, Trend Micro (TMIC), Trustwave, Vasco (VDSI), VeriSign (VRSN), Wombat Security Technologies, Yahoo! (YHOO), and zvelo.