2019 Phishing Trends and Intelligence Report: The Growing Social Engineering Threat
2019 Phishing Trends and Intelligence Report: The Growing Social Engineering Threat
INTELLIGENCE REPORT
The Growing Social Engineering Threat
FOUNDER’S NOTE
WE ARE PHISHLABS
Phishing is social engineering
using digital channels. Email,
web, social media, SMS, and We help enterprises protect their employees,
mobile apps are all major customers, and brands against social engineering.
parts of our digital lives. And
they are all being abused for
phishing attacks.
Phishing volume rose steadily during Credentials for financial, email, cloud, The use of free domains, hosting, and
Q1 of 2018, remained high in Q2 and payment, and SaaS services were the SSL certs in phishing attacks was
Q3, and declined in Q4. most frequently targeted. prevalent in 2018.
Vast majority of email threats that Corporate users fell for these types of
reached corporate users were lures the most during simulated
credential theft and email scams. phishing exercises.
More on pages 23-24 More on page 22
VOLUME TRENDS
INCREASING SHARES
After being displaced by email/online services in 2017, financial institutions are back on top as the single
most targeted industry. While the financial industry’s share of global volume has fluctuated each year,
the volume of attacks has consistently risen. Meanwhile, as the SaaS industry has acquired more users, it
has also seen a steady increase in volume and share.
DECREASING SHARES
As the only top five targeted industry to see a decline in phishing volume (- 0.1%) payment services
dropped down into fourth place overall. The Ecommerce industry also dropped one position (into sixth
overall) although it did see a 2% increase in phishing volume.
02
04
06
INDUSTRY TRENDS
FINANCIAL INSTITUTIONS
CLOUD STORAGE
BIGGER SHARE
% Volume Increases
While attack volume rose for 26 of the top 30 most attacked countries, there were a number of changes
in 2018’s top 10 compared to the previous year. Most notably, Canada saw a substantial rise in phishing
volume starting from April 2018, pushing it into second place overall. Much of this volume is accounted
for by campaigns targeting a large Canadian financial transaction network. Turkey saw the largest
volume shift, but still only accounts for 1% of total phishing volume.
INFRASTRUCTURE TRENDS
16% Volume
13.8% Use of free hosting
14% providers has increased
significantly over the
12%
past four years, from
10% 7.9% just 3% of total phishing
volume in 2015 to 13.8%
8% in 2018.
0%
In Q4, for the first time since
Q1 2015
Q2 2015
Q3 2015
Q4 2015
Q1 2016
Q2 2016
Q3 2016
Q4 2016
Q1 2017
Q2 2017
Q3 2017
Q4 2017
Q1 2018
Q2 2018
Q3 2018
Q4 2018
tracking, there was a slight
decline to 47%.
INFRASTRUCTURE TRENDS
In line with the previous year, we saw a continued rise in the use of low-cost generic TLDs during 2018.
The number of phishing sites observed on gTLDs more than doubled last year, and their share of total
phishing volume rose from 5% to 8%.
5% INCREASE IN 2018
.xyz +149%
8%
Total .tech +53%
Total
Phishing Phishing
.stream +5261%
Volume Volume
.online +136%
In 2017 In 2018
.bid +410%
INFRASTRUCTURE TRENDS
Historically, most phishing sites have been hosted on legitimate domains that are compromised, rather than
domains specifically registered by phishers. As a result, the breakdown of TLDs used for phishing sites has
closely mirrored that of the general website population. However, we have started to observe some TLDs that
are significantly over-represented among phishing sites.
% OF PHISHING % OF ALL
TLD
SITES WEBSITES
.TK 2% .1%
.CF 2% <0.1%
.GA 2% <0.1%
.ML 2% <0.1%
.GQ 1.4% <0.1%
CORPORATE USER SUSCEPTABILITY
MARCHER
06
MOBILE BANKING TROJANS
BANKBOT ANUBIS
01
the official Google Play Store on several occasions.
Read More
06
MOBILE BANKING TROJANS
01
family. This is unusual because few threat
groups possess the skills necessary to
develop complex malware from scratch.
Read More
06
Via @CryptoInsane
KEY TAKEAWAYS MANY VARIABLES, ONE CONSTANT
FROM 2018
In 2018 we observed a continued willingness on the part of
• Total phishing volume rose significantly threat actors to adapt to new opportunities — free hosts and
(40.9%) domains, SSL certificates, and SMS phishing to name a few.
• Financial, email, cloud, payment, and
SaaS credentials were prime targets But while tactics evolve, one thing remains the same:
(83.9% of attacks)
• Far more attacks used free hosting and Phishing still works.
domains than in prior years (2x growth)
Simply defined, phishing is social engineering via digital means.
• Attackers continue to use free SSL
And with our increasing reliance on a variety of digital channels
certificates to be more effective (nearly
50% of attacks) in our everyday lives, phishing is easily the most versatile and
low cost weapon in an attacker’s arsenal.
• Corporate users are most susceptible to
Finance/HR and Ecommerce email lures
(31% and 27% click rates) Novice cybercriminals use phishing to steal credentials and
distribute ransomware. Organized gangs use it to carry out
• Nearly half (42%) of emails reported by
financial fraud and steal millions of dollars. Nation-state actors
corporate users pose some risk.
use it to gain strategic access to target environments.
• The vast majority (98%) of malicious
emails that reach corporate inboxes
contain no malware To protect the enterprise, it is essential to defend against
phishing attacks across email, web, social media, SMS, mobile
apps, and other digital channels.
Thank you for reading the 2019 Phishing Trends and Intelligence Report.
We hope you found the information useful.