Recent Posts

Recent Blog Posts

The PhishLabs Blog

APWG & Kaspersky Research Confirms Phishing Trends & Intelligence Report Findings

Posted by Lindsey Havens on Mar 2, '17

Planning.jpg“For any study or research project, the ultimate assessment of validity is independent duplication of results.”

This quote was the first line of an email I received a few days ago from Crane Hassold, our senior security threat researcher at PhishLabs.

And since we’ve recently published our annual Phishing Trends & Intelligence (PTI) report, I was interested to learn more.

The email went on to explain that both the Anti-Phishing Working Group and Kaspersky had independently released phishing research reports in the past couple of weeks. The best part: The findings of both reports were highly consistent with those of our own PTI report.

The Mid Year Peak

One of the most surprising findings of our latest PTI report was that the distribution of phishing attacks throughout the year had changed dramatically. In previous years, we observed a gradual increase in attacks as the year progressed, with a substantial spike in the fourth quarter to coincide with the holiday  season.

Phishing Months 2016-1.jpg2016 was different.

Instead of spiking at the end of the year, we observed a substantial spike in the middle of 2016, and the volume of phishing attacks then returned to normal levels before trailing off in December.

It may not look like a significant drop on our graph, but keep in mind that the number of phishing attacks observed in December 2016 was lower than in any month for almost two years.

And as we mentioned in a previous post, these changes in the phishing landscape were largely caused by two factors:

  1. Phishers taking advantage of global events (e.g. Brexit)
  2. A spike in shared virtual server attacks

But we’ve written about this before. If you’d like to know more about how phishing changed in 2016, check out the post above, or download our latest PTI report.

What we really want to know is whether our findings were consistent with the research of other phishing thought leaders. To answer that, we’ll take a look at some of the findings from the Anti Phishing Working Group (APWG) report for Q4 2016.

Screen Shot 2017-03-01 at 17.26.42.png

First, let’s get the obvious points out of the way: a substantial mid-year spike in 2016, followed by a distinct drop-off in December. So far, so good.

And take a look at some of the findings listed in the report’s executive summary:

  • In the fourth quarter of 2004, the APWG saw 1,609 phishing attacks per month. In the fourth quarter of 2016, APWG saw an average of 92,564 phishing attacks per month, an increase of 5,753% over 12 years.
  • Phishers concentrated on fewer targets during the holiday season, and hit fewer lower yielding or experimental targets.
  • The total number of phishing attacks in 2016 was 1,220,523, a 65% increase over 2015.

While the precise numbers vary from our own, for obvious reasons, the data spread and trends identified in this APWG report are clearly consistent with those of our own PTI report.

Target Switching

Another of the more significant findings from the PTI report was a substantial change in the proportion of phishing attacks targeted at each industry. In this case, we’ll turn to Kaspersky’s recently published security bulletin on spam and phishing in 2016.

At the start of the section on industry targeting, Kaspersky notes that for the most part the tendency of phishers to target organizations which hold and transfer money directly has continued. In this category, they include financial institutions, banks, online stores, and payment systems.

So how do the Kaspersky findings stack up against our own?

  Kaspersky security bulletin PhishLabs PTI report
Financial institutions/banks 25.76% 23.0%
Payment services 11.55% 13.9%
E-commerce 10.17% 11.0%
Government services 0.95% 1.6%

Phishing attacks by industry in 2016 as a proportion of total attacks

Now, it’s worth noting that given Kaspersky’s head office location (Russia) and strong presence in Europe, there is likely  no crossover in the cohorts used to collect information for these two reports. Nonetheless, the findings are strikingly similar.

And it goes a stage further. In our latest PTI report we highlighted a substantial change in the way phishers make their money: a move to targeting cloud service providers. In simple terms, they do this because the prevalence of password reuse and the increase in online services allowing users to utilize email addresses instead of unique usernames has made stolen credentials dramatically more valuable.

It’s difficult to identify this trend in the Kaspersky bulletin, as cloud service providers have not been split out as a service type. Nonetheless, the analysts must have identified the trend, because it’s mentioned explicitly in the bulletin.

“Another priority is attacks that could lead to the acquisition of confidential information and, subsequently, money. For example, some portals from the ‘Global Internet portals’ category (Google, Yahoo!, Microsoft (, etc.) use the same account to access multiple services. A successful phishing campaign can therefore give fraudsters access to several of the victim’s accounts.”

Phishing is Here to Stay

Now we want to make it clear that while it certainly is gratifying to see other research that mirrors our own, there’s a more important point to consider.

The research conducted by any organization is necessarily influenced by its primary sources, whether that’s a security vendor’s customer base or the respondents to a survey. As a result, variables such as geographical location, target demographics, and research methodology can, in some cases, skew the results of an otherwise well constructed research project.

And this, at the heart of it, is why we’re so excited to see research produced by other prominent security organizations that echoes our own. The consistency in the findings of these three reports makes it that much easier (and more important) for security conscious organizations to pay attention to the trends and lessons identified.

Most significantly, phishing isn’t going away. In fact, according to every report we’ve seen (including the three detailed in this post) the volume of phishing attacks has increased every year since the early 2000s.

Not only that, phishers have repeatedly demonstrated their willingness to identify and attack new and unexpected targets in search of higher rewards.

From financial institutions, to cloud service providers, to healthcare organizations, every industry you can think of is seeing an increase in phishing volume each year. Even those industries that have seen a lower proportion of attacks during 2016 (i.e. financial institutions) have still seen an increase in volume.

So if you’re ever going to start taking phishing seriously, now would be a good time.

To find out how you can fight back against phishing, get in touch today.

Topics: Phishing, PTI Report

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all