Recent Posts

Recent Blog Posts

The PhishLabs Blog

How Phishing Volume Grew in the First Three Months of 2017

Volume.jpgFor the past several years, we’ve released an annual report during the first quarter of the year detailing precisely how the phishing landscape had evolved during the preceding 12 months.

Known as our Phishing Trends & Intelligence (PTI) report, each issue is the sum total of literally thousands of hours spent each year by our analysts to identify, evaluate, and deconstruct phishing threats.

But this year, we’ve made a major change.

Phishing volume is now so high that it no longer makes sense to issue these reports just once per year. Instead, we’ve decided to produce our PTI report at the end of each quarter, helping security conscious organizations identify and adapt to new threats on a much more timely basis.

Here’s the best part: The Q1 2017 PTI report is already available for FREE right here.

And if you have questions, or you just prefer a more multimedia experience, you can check out last week’s PTI report webinar for free. Hosted by Joe Opacki, our VP of Threat Research, the webinar covers the entire report, as well as providing additional context and specific examples. To watch the webinar (again, it’s free) click here.

For now, we’re going to go through some of the headline findings of the Q1 report.

Seriously, if you haven't already, download the Q1 2017 PTI report. It's FREE, and it includes everything you need to know about what's happening in phishing right now.

Download the Report

There Were How Many?

If you read the report we published at the start of the year, you’ll know that during 2016 our analysts identified over a million phishing sites. In order to do that, we crawled over 300 million unique URLs every single day.

Fast forward to the first quarter of 2017, and we identified a further 143,000 confirmed phishing sites. Globally, that figure is up 20 percent from the preceding three months, and up eight percent from the same period in 2016.

This phenomenal increase in phishing attacks, which has occurred pretty much every year for the past decade, is a big part of why we’ve now decided to issue our PTI report on a quarterly basis.

But it’s not the only reason. In addition to the tremendous increase in volume, phishing tactics and targets are evolving faster than ever. And the fact is, an annual report is no longer enough to keep security conscious organizations up to date on the phishing landscape.

Phishing Targets Evolve Yet Again

During 2016, the top industries targeted by phishing attacks were:

  1. Financial services
  2. Cloud storage
  3. Web/online services
  4. Payment services
  5. E-commerce

And in the first quarter of 2017, the same industries occupy these top spots. So not much changed… right?


Having occupied fourth place last year, attacks targeting payment services companies rose a massive 76 percent compared to the same period last year. Perhaps even more significantly, a whopping 93 percent of those attacks targeted a single provider: PayPal.

Payment services.png

And that wasn’t the only significant change. Having seen huge growth in 2016, mainly due to attacks targeting Dropbox and Google Drive users, cloud storage attacks came back down to earth during Q1 2017, with a 24 percent drop year-on-year.

Unfortunately, it’s very difficult to say whether this change is permanent, or simply a result of phishers identifying temporarily easier targets elsewhere.Cloud Storage.png

As a result of these changes, while the top five targets remained the same in quarter one of 2017, payment services and cloud storage swapped places.Industries targeted.png

But it’s not all about the top five. It’s easy to forget that even industries that account for less than one percent of overall volume are still heavily attacked.

Taking a closer look at some of the smaller players finds two industries in particular that saw a substantial increase in attacks during the first three months of 2017: Software-as-a-Service (SaaS) and social networking.Social + SaaS.png

Attacks on social networking companies doubled in Q1 2017, and were up a massive 213 percent year-on-year. Not only that, the number of attacks in quarter one was significantly higher than we’ve observed in any other quarter for the past three years. Clearly, threat actors have spotted an opportunity in this industry.

Meanwhile, the SaaS industry saw a similarly dramatic increase in attack volume: up 63 percent compared to the previous quarter, and up 225 percent year-on-year. And if you’re wondering which SaaS companies were targeted in particular, Netflix accounts for easily the highest proportion of attacks, having finally toppled Adobe as the “most phished” SaaS company.

Phishing the IRS

In our last report, focussing on 2016, we highlighted a significant and highly concerning trend in phishing: the IRS phish. These attacks targeted both taxpayers and tax professionals, and predominantly aimed to steal taxpayer information for the purposes of conducting tax fraud.

Now, back at the start of 2016, these attacks exploded, with January 2016 seeing more IRS phishing than the entire preceding year. And based on this dramatic increase in attacks, we predicted a similar spike at the start of 2017.

But here’s the thing. That spike… didn’t happen. At least, not quite in the manner we predicted.IRS Phish.png

In the first quarter of 2017, we observed far fewer phishing attacks than we had in the previous year, totaling a 73 percent drop year-on-year. From those figures, it would be easy to assume that phishers had predominantly lost interest in tax fraud related profits.

But that’s not quite the way it happened. It is true that, as a result of enhanced security measures taken by the IRS, the style of attacks fielded in 2016 were far less effective in Q1 of 2017. But rather than prompting phishers to go elsewhere entirely, it simply forced them to be more creative.

Instead of targeting taxpayers, phishers opted to hit tax preparers hard with BEC (business email compromise) and W-2 scams. These scams don’t require a phishing site to be setup (hence the huge drop in volume seen on the graph above) and have the added bonus of enabling phishers to get their hands on large quantities of taxpayer information from a single victim.


W-2 scams, like the example above, are typically followed up with BEC-style emails, which pose as senior executives within the target organization and demand immediate action.

To cut a long story short, IRS scams are still very much alive, but now they’re a problem for every organization.

Sham Security

Another significant evolution during the first quarter of 2017 came in the form of a dramatic increase in the number of phishing sites making use of secure SSL certificates.

SSL certificates are intended both to secure communications between a user’s browser and their target web server. When visiting a website, the existence of an SSL certificate is highlighted in most browsers using a padlock icon or the word “Secure” next to the URL.

Lock icon 2.png

But in the user’s mind, this padlock represents more than just a secure connection, it represents a legitimate and trustworthy website. Unfortunately, this understandable association can be very easy for phishers to exploit.

SSL certificates are often freely available from certificate authorities, and in the past couple of years phishers have gradually started using them to add authenticity to their phishing sites.Secure.png


And in quarter one of 2017, they upped their game in a big way, more than doubling the proportion of phishing sites incorporating SSL certificates to 10 percent.

Top Level Domain Trends

Back in March, we published a breakdown of phishing site top level domains (TLDs) observed during 2016. And, for the most part, the big players are still all there.TLDs.png

.com still accounts for easily the highest proportion of phishing sites, as we’d expect, and other perennial choices such as .net and .org are also still present.

But that’s not to say that everything has stayed the same.

During the first three months of 2017, we observed a dramatic increase in the number of phishing sites using the .io TLD, which is associated with the British Indian Ocean territory. More important than it’s geographical association, though, .io has become a favorite among tech startups, mainly because IO is a commonly used acronym for input/output.

Clearly phishers have cottoned on to this trend, because the .io TLD saw a massive 746 percent increase from the 2016 average.

On the flip side, the previously popular .br TLD saw a big decline during Q1. Having been second only to .com in popularity during 2016, .br saw a 55 percent decrease compared to the 2016 average, knocking it down into fourth place overall.

If you read our previous post on TLDs, you’ll recall that during 2016 phishers started paying attention to many of the newly available global TLDs. These gTLDs are not related to countries, and examples include .website .online and .xyz

But it’s not the lack of geographical attachment that makes gTLDs interesting to malicious actors. Phishers understand that when deciding whether to trust a website, most users pay particular attention to the URL. If the URL appears legitimate, they’re far more likely to trust the site.


gTLDs are great, in this respect, because they enable phishers to construct highly believable URLs without needing to explicitly mention any brand names. For example:

This style of URL is very difficult for the average user to identify as fraudulent, and as a result the use of gTLDs in phishing sites has increased consistently in recent years.

Phishing Tactics Change, but the Antidote Remains the Same

It’s important to realize that, regardless of what the latest phishing innovations are, the motivation is always the same: profit.

The only reason for phishers to look for new targets, or make their lures seem more legitimate, or use different social engineering tactics is to increase or maintain their profit margins. And as a security conscious person, it’s your job to ensure that no matter what innovations occur in phishing tactics or targeting, your workforce is prepared to cope with it.

Later this week, we’ll be looking at the different ways phishers are able to make money from their scams.

Hint: It’s not just about password reuse.

In the mean time, to find out how you can fight back against phishing, and keep your organization secure, check out this post.

Topics: Phishing, PTI Report

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all