Many organizations assume they won’t be targeted by phishers.
And we get it. Your security budget is only so big, and you have to make decisions about where to allocate it. You can’t cover all your bases all the time.
But the phishing landscape has moved, and the old ‘rules’ don’t apply anymore.
Last week we published our annual Phishing Trends and Investigations (PTI) report, which revealed substantial changes in the way threat actors select their phishing targets.
More organizations than ever are being targeted by phishing and spear phishing attacks, and if you aren’t prepared you could easily find 2017 to be a very difficult year.
Want to learn more about the latest phishing trends? This month we'll be hosting a webinar to explain the profound shift in the overall cyber threat landscape observed during 2016. There are limited spaces available, so register now to avoid disappointment.
Industry Hit List
Back in 2013, phishers were targeting exactly the industries you’d expect. In fact, almost two thirds of all phishing attacks targeted financial institutions and payment services.
And that makes sense. After all, it’s easy to see where the incentive lies, and how threat actors were making their money.
But things have changed a lot since 2013. Fast-forward a few years and those same two industries account for just 37 percent of all phishing attacks. Still a significant proportion, of course, but far from the monopoly they had in years gone by.
Of course, percentages alone don’t tell the full story. While the proportion of phishing attacks targeting financial institutions and payment services has fallen dramatically, the actual number of attacks has risen year on year.
So if ‘traditional’ phishing targets are seeing more attacks than ever before, there’s only one explanation for their dramatic fall in the rankings. Other, less obvious industries must have seen a massive rise in phishing attacks.
And that’s exactly what the latest PTI report shows. Specifically, three industries have seen huge increases in phishing attacks since 2013: Cloud storage, webmail/online services, and e-commerce.
These trends suggest a fundamental change in the ways threat actors make their money. Instead of relying purely on direct income, through targeting financial institutions and payment services, threat actors have worked out that expanding their target range to include what are typically consumer services can be extremely profitable.
To cut a long story short, using techniques such as mass credential harvesting and password reuse attacks threat actors have branched out in a big way.
The Geographic Phishing Lottery
If you think American companies are the most likely targets for phishing attacks… you’d be right. In a big way.
Back in 2014, US institutions were targeted by 71% of all phishing attacks. Since then, the total number of attacks against US targets has doubled, and in 2016 accounted for 81% of attacks worldwide.
But despite these figures, the US is far from the only country that should be worried. Other countries have also seen substantial increases in phishing volume, including Pakistan (+38 percent), France (+39 percent), and Switzerland (+76 percent). And if you think those figures are alarming, wait until you see the increase in attacks targeting Canadian institutions: a massive 237 percent rise in phishing volume in 2016 alone.
So what gives? Canada doesn’t seem a likely hotbed for cybercrime, so there must be a logical explanation for this meteoric rise in phishing activity.
And, of course, there is: Canadian financial services.
The World Economic Forum ranks Canada’s banking system as the ‘soundest’ in the world. From 2007 to 2012, the combined market capitalization of Toronto’s top 5 banks rose by 30 percent, easily overshadowing the top banks of New York (down 57.8 percent) and London (down 31.9 percent) during the same period.
Add this to the fact that historically Canadian organizations have not been heavily targeted by threat actors, and thus are likely to have lower levels of security funding, and the situation becomes clear. Following a surge in phishing activity from March to June last year, attacks remained at elevated levels for the remainder of 2016. Attacks against Canadian financial institutions grew by 444 percent during the year, accounting for a large proportion of the overall increase.
Of course, on the flip side, attacks on other nations have decreased dramatically. Despite a significant rise in Brexit themed phishing attacks during May and June last year, overall attacks on British targets fell by 23 percent in 2016, continuing a trend that has run since 2013. This places Britain at odds with the majority of its Wester counterparts, most notably France and Germany, most of which have seen significant increases in phishing volume in recent years.
Open Phishing Season
From 2013 to 2015 phishing attacks followed a predictable pattern throughout the year. Typically, they would increase gradually as each year progressed, and finally surge during quarter four to coincide with the holiday period.
2016 was different.
Instead of peaking in the final months of the year, the volume of phishing attacks in 2016 spiked dramatically during May and June, and ultimately trailed off during the holiday season. Perhaps most surprising of all, December saw the lowest number of phishing attacks observed in any months for almost two years.
Why did this happen? For two primary reasons:
- Phishers took advantage of global events
- A substantial spike in shared virtual server attacks
The first of these is pretty simple. Phishers are always quick to take advantage of anxiety and fear, so during the run up to the historic Brexit vote we saw a massive spike in attacks targeting Britain organizations. In particular these attacks targeted payment companies and government organizations, and did so in such high volumes that the number of attacks observed in Britain during May and June was more than double the average for the rest of the year.
The second reason for the substantial mid-year spike experienced worldwide is a little more complex.
A shared virtual server attack occurs when a threat actor compromises a web server which hosts dozens or even hundreds of domains. Once ‘in’, the threat actor can use automated tools to quickly upload their malicious phishing content to every domain on the server. This dramatically enhances the threat actor’s ability to launch mass campaigns, and makes it much harder for security professionals to block malicious domains in a timely manner.
While not exactly a new technique, these types of attacks have not been widespread in recent years. During 2016 we observed a significant spike in the number of shared virtual server attacks: over 300 incidents impacting more than 14,000 domains. That’s 10 percent of the overall phishing attack volume for 2016, and over a third of those attacks took place during May and June.
Data Tells a Story
So what can we learn from all this data? It’s all well and good to see how the phishing landscape evolved during 2016, but what does it mean for individual organizations?
Simply this. Threat actors, and phishers in particular, will go where the money is. They’re constantly searching for new opportunities, new weaknesses, and new ways to monetize their skillsets.
A few years ago nobody was predicting a massive rise in attacks on Canadian financial institutions. Likewise, cloud hosting services seemed an unlikely target, and nobody had even heard of Brexit. And yet here we are at the start of 2017, looking back on a year in which the overall volume of phishing attacks increased yet again.
So if you take anything from this data, let it be this. Just because your industry hasn’t been targeted heavily yet, doesn’t mean you’re safe.
Many industries continue to underfund their cyber security programs, hoping that threat actors will continue to ignore them. That’s exactly what happened with cloud hosting providers, and they paid the ultimate price in 2016. If your industry doesn’t start taking cyber security seriously in the near future, we could be sitting here in early 2018 explaining how and why threat actors suddenly started focusing on you.
And if your industry is already heavily attacked, history suggests that trend will continue unabated. The proportion of phishing attacks targeting your industry may fall, but the actual volume never seems to stop rising.
So whether you’re a Canadian bank, a US school, or a British e-commerce site, the lesson is simple: Phishing is a big deal.
To find out more about the latest phishing trends, download the 2017 PhishLabs Phishing Trends & Investigations Report.