Phishing Attacks Hit New Record in 2016

The Anti-Phishing Working Group (APWG) released a new report this week which found that 2016 was the worst year in history for phishing scams. The total number of phishing attacks last year was 1,220,523 — a 65 percent increase over the number of attacks recorded in 2015.

Founded in 2003, APWG is a global industry, law enforcement and government coalition focused on unifying the global response to electronic crime.

A press release detailed how APWG’s Phishing Activity Trends Report also found that the number of phishing attacks over the past ten years has generally increased each year. For example, in the fourth quarter of 2004, there were 1,609 phishing attacks per month; in the fourth quarter of 2016, there was an average of 92,564 attacks each month — an increase of 5,753 percent over 12 years.

“Phishing is an attack that relies primarily on fooling people, rather than highly sophisticated technical implementations,” said APWG Senior Research Fellow and iThreat VP Greg Aaron. “For that reason, phishing remains both popular and effective. Also, the APWG’s numbers for 2106 just measure broad-based attacks against consumer brands. The numbers don’t attempt to catalog spear-phishing, which is highly targeted phishing that targets only a few specific people within a company. Truly, phishing is more pervasive and harmful than at any point in the past.”

The APWG also included information from its global members in the report which shared how companies around the world experience and defend against phishing scams. The main finding is that phishers are getting savvier about how they trick victims online.

Axur, which protects companies and their users in Brazil, found that cybercriminals in that country are using both traditional phishing and social media for their scams and utilizing technical tricks that make it harder to stop these crimes before they affect anyone.

“Criminals are re-inventing themselves all the time,” said Fabio Ramos, CEO of Axur. “We’ve seen a decrease in the numbers of regular phishing attacks — and an increase in other methods of fraud, such as malware fake services advertised through social media platforms.”

APWG member RiskIQ detailed how phishers can use hyperlinks, URL shorteners and brand names within a URL to trick people into clicking on a fraudulent link.

“A relatively low percentage of phishing websites targeting a brand attempt to spoof that brand in the domain name — whether at the second-level or in the fully-qualified domain name,” said Jonathan Matkowsky, VP for intellectual property and brand security at RiskIQ.