2019 PHISHING TRENDS AND

INTELLIGENCE REPORT
The Growing Social Engineering Threat
FOUNDER’S NOTE
WE ARE PHISHLABS
Phishing is social engineering
using digital channels. Email,
web, social media, SMS, and We help enterprises protect their employees,
mobile apps are all major customers, and brands against social engineering.
parts of our digital lives. And
they are all being abused for
phishing attacks.

This year's report shows how ABOUT THIS REPORT

phishing continues to evolve
as threat actors adapt to (and In 2018, we detected and analyzed millions of phishing attacks
exploit) changes in the digital
spanning email, web, social media, SMS, and mobile channels.
landscape. Targets have
This report uses the data collected to detail the key trends
shifted, new tactics have
surfaced, and attack volume shaping the phishing threat landscape. The purpose of this
continues to rise. report is to help security leaders and practitioners gain a better
understanding of phishing so that they can take proactive steps
John LaCour to protect their employees, customers, and brands.
PhishLabs Founder and CTO
 CONTENTS
WHO IS COUNTRIES
2. Founder’s Note BEING UNDER
TARGETED? ATTACK
6. Industry Targets PAGE 6 PAGE 13

11. Email Top Trends

12. Cloud Top Trends

15. Free Hosting Volume

21. Phishing Simulations USER CONTINUED

REPORTED HTTPS
24. SMS Phishing THREATS ABUSE
25. Mobile Malware PAGE 22 PAGE 18
 2019 PHISHING TRENDS AND INTELLIGENCE REPORT

SUMMARY OF KEY FINDINGS

Phishing grew 40.9% in 83.9% of attacks targeted Free website infrastructure

2018 five industries was heavily abused

Phishing volume rose steadily during Credentials for financial, email, cloud, The use of free domains, hosting, and
Q1 of 2018, remained high in Q2 and payment, and SaaS services were the SSL certs in phishing attacks was
Q3, and declined in Q4. most frequently targeted. prevalent in 2018.

More on page 13 More on page 5 More on pages 17-21

98% of attacks in user The most effective lures

inboxes contained no were Financial/HR and
malware Ecommerce

Vast majority of email threats that Corporate users fell for these types of
reached corporate users were lures the most during simulated
credential theft and email scams. phishing exercises.
More on pages 23-24 More on page 22
 VOLUME TRENDS

TOTAL PHISHING SITES BY MONTH

Volume
30000 2015 2016 2017 2018

Volume rose steadily

25000 during Q1 of 2018,
remained high
20000 throughout Q2 and
Q3, and then trailed
off in Q4. This pattern
15000
is similar to what
we’ve seen in previous
10000 years, with the
exception of two
5000 significant spikes in
total volume during
April and August.
0
Jan Feb March April May June July Aug Sept Oct Nov Dec

* A phishing site is defined as phishing content located on a unique fully qualified

domain name or host.
 INDUSTRY TRENDS

WHO IS BEING TARGETED?

In 2018 we identified phishing sites targeting 1,263 different brands belonging to 773 parent
institutions. The top five targeted industries accounted for 83.9% of total phishing volume.

Email Payment Services

Financial Cloud SaaS

 INDUSTRY TRENDS

INCREASING SHARES

After being displaced by email/online services in 2017, financial institutions are back on top as the single
most targeted industry. While the financial industry’s share of global volume has fluctuated each year,
the volume of attacks has consistently risen. Meanwhile, as the SaaS industry has acquired more users, it
has also seen a steady increase in volume and share.

2018 28.9% 2018 7.1%

2017 21.1% 2017 6.4%

2016 24% 2016 1.7%

Financial 2015 29% SaaS 2015 .7%

 INDUSTRY TRENDS

DECREASING SHARES

As the only top five targeted industry to see a decline in phishing volume (- 0.1%) payment services
dropped down into fourth place overall. The Ecommerce industry also dropped one position (into sixth
overall) although it did see a 2% increase in phishing volume.

2018 11.1% 2018 5.8%

2017 15.6% 2017 8%

2016 14.9% 2016 11.8%

Payment 2015 10.4% 2015 10.1%

E-commerce
Services

TOP PHISHING TARGETS
Financial Institutions
After being displaced by email/online
services in 2017, financial institutions
were once again the top phishing
target in 2018. Financial institutions
accounted for 28.9% of all phishing
websites in 2018, compared to 21.1% in
2017.
INDUSTRY TRENDS
Email + Online Services
Email/online services accounted for
24.1% of phishing sites in 2018,
compared to 26.8% in 2017. Despite a
slight reduction in share, though, the
actual volume of phishing attacks
targeting this industry increased by
almost a quarter.
Cloud + File Storage
The proportion of phishing attacks
targeting the cloud storage/file
hosting industry remained constant
in 2018 at 12%. Despite this, the actual
volume of attacks rose by a
substantial 48%.
02
04
06
 INDUSTRY
FINANCIAL INSTITUTIONS
Canadian Interbank Network
Beginning in April 2018, there was an explosion of
phishing sites posing as e-Transfer alerts from a
Canadian interbank network. Recipients of these
phish are told they have received funds — often tax
rebates from the Canadian Revenue Agency — and
prompted to select their bank and login using a fake
version of their normal online banking system.
Normally, phishers are forced to pose as a single
financial institution. This reduces the effectiveness of
their attack, as many recipients will not be customers
of the institution in question. Modeling the interbank
network e-Transfer alerts is attractive to
cybercriminals because it enables them to target
customers of several financial institutions at once,
increasing their success rate.
TRENDS
Free Hosting Providers
Almost a quarter of all financial phishing sites were
hosted by free providers, more than any other
industry. By comparison, just 11.6 percent of phishing
sites targeting webmail/online services were freely
hosted.
Did Somebody Say Free?
While most web hosts charge for their services, some
offer limited hosting accounts for free. Phishers abuse
these free accounts to create phishing sites (often in
very large quantities) at no cost.
000webhost.com is by far the most popular free web
host among phishers, accounting for 68.9% of freely
hosted phish in 2018.
 INDUSTRY TRENDS

EMAIL AND ONLINE SERVICES

PHISHING SHARE VS. VOLUME

While email/online services accounted for a
slightly reduced proportion of phishing sites in
2018, don’t let that fool you. Attack volume
continued to rise, and the industry remains a
popular target for phishers.

LATE SUMMER SPIKE

Phishing attacks against email/online services
spiked in August 2018 due to a campaign
targeting a popular company in the industry.
The campaign used more than 2,000 freely
hosted phishing sites, all created using the
same phish kit. The similarity of the phish in
this campaign lead us to believe one threat
actor or group was behind all of the attacks.
 INDUSTRY TRENDS

CLOUD STORAGE

BIGGER SHARE

The cloud storage/file hosting industry had the

dubious honor of rising one place in the
rankings during 2018. This was due to a slight
reduction in phishing volume targeting the
payment services industry, which fell to fourth
place.

VOLUME STEADY YEAR-ROUND

Phishing volume was steady throughout the
year with no notable peaks or troughs.
 COUNTRY TRENDS

MOST TARGETED COUNTRIES

Organizations in the United States remained the most

popular targets for phishers in 2018, accounting for 84%
of total phishing volume.
While this amounts to a slight fall in share (from 85% in
2017) the actual volume of phishing attacks targeting
US organizations rose by more than 40% in 2018, and
has more than doubled since 2015.
 COUNTRY TRENDS

INCREASES IN PHISHING VOLUME

% Volume Increases

While attack volume rose for 26 of the top 30 most attacked countries, there were a number of changes
in 2018’s top 10 compared to the previous year. Most notably, Canada saw a substantial rise in phishing
volume starting from April 2018, pushing it into second place overall. Much of this volume is accounted
for by campaigns targeting a large Canadian financial transaction network. Turkey saw the largest
volume shift, but still only accounts for 1% of total phishing volume.
 INFRASTRUCTURE TRENDS

INCREASING USE OF FREE HOSTING

16% Volume
13.8% Use of free hosting
14% providers has increased
significantly over the
12%
past four years, from
10% 7.9% just 3% of total phishing
volume in 2015 to 13.8%
8% in 2018.

6% 3.9% Free hosting provides an

easy way to setup phishing
sites without having to pay
4% 3.0% for hosting or compromise
an existing website.
2% Phishers don’t even need to
buy a domain, as they are
0% assigned free subdomains,
for example:
2015 2016 2017 2018
THISSUBDOMAIN.000webhos
tapp.com

The quantity (not share) of phishing sites using a free hosting

provider more than doubled in 2018
 INFRASTRUCTURE TRENDS

PHISHING VOLUME ON FREE HOSTS

After climbing steadily through Q1, free hosting volume

remained consistent for the rest of 2018 with the exception
of a spike in popularity during August and September. Use
of free hosting providers for phishing sites almost doubled
during those months, accounting for 23% and 19% of total
phishing volume respectively.

Why Was There a Spike?

Phishing sites are easy to set up using pre-made phish kits,
and free hosts make it even easier. A single threat group
can create a large volume of sites in a short period of time,
so total volume is heavily influenced by the activity of a
small number of phishers. If a group that favors free hosts
is very active one month, we’ll see a spike.

While we observed phishing sites being hosted by more

than 50 free providers, 000webhostapp was by far the
most popular accounting for 69% of freely hosted phish.
 IMPACT TRENDS

FREE HOSTING & INDUSTRY TARGETING

Financial Email Total Volume Volume on Free Hosting

Fluctuations
Since financial
institutions and
email/online services
account for more than
half of all phishing in
2018, it’s no surprise that
fluctuations in total
phishing volume closely
mirror trends in these
two industries. The
August spike also
coincides with a
substantial rise in
phishing attacks hosted
Jan Feb March April May June July Aug Sept Oct Nov Dec with free providers.
 INFRASTRUCTURE TRENDS

PHISHING SITES HOSTED ON HTTPS

In 2018 threat actors 60%

continued to abuse SSL
50%
certificates to bypass browser
filtering and add credibility to 40%
phishing sites.
30%
Uptake peaked in Q3, when
almost half of all phishing 20%
sites were hosted on domains
with an active SSL certificate. 10%

0%
In Q4, for the first time since

Q1 2015
Q2 2015
Q3 2015
Q4 2015
Q1 2016
Q2 2016
Q3 2016
Q4 2016
Q1 2017
Q2 2017
Q3 2017
Q4 2017
Q1 2018
Q2 2018
Q3 2018
Q4 2018
tracking, there was a slight
decline to 47%.
 INFRASTRUCTURE TRENDS

TOP LEVEL DOMAINS

In line with the previous year, we saw a continued rise in the use of low-cost generic TLDs during 2018.
The number of phishing sites observed on gTLDs more than doubled last year, and their share of total
phishing volume rose from 5% to 8%.

5% INCREASE IN 2018

.xyz +149%
8%
Total .tech +53%
Total
Phishing Phishing
.stream +5261%
Volume Volume
.online +136%
In 2017 In 2018
.bid +410%
 INFRASTRUCTURE TRENDS

5 ccTLDS ACCOUNT FOR 10% OF PHISHING

The share of phishing sites hosted on country code TLDs (ccTLDs) dropped slightly to 34%, while historic gTLD
share remained steady at 58%. The vast majority of historic gTLD volume was made up by .COM, which
remained by far the most popular TLD for phishing sites in 2018 at almost half of global phishing volume.

Historically, most phishing sites have been hosted on legitimate domains that are compromised, rather than
domains specifically registered by phishers. As a result, the breakdown of TLDs used for phishing sites has
closely mirrored that of the general website population. However, we have started to observe some TLDs that
are significantly over-represented among phishing sites.

% OF PHISHING % OF ALL
TLD
SITES WEBSITES
.TK 2% .1%
.CF 2% <0.1%
.GA 2% <0.1%
.ML 2% <0.1%
.GQ 1.4% <0.1%
 CORPORATE USER SUSCEPTABILITY

MOST EFFECTIVE PHISHING SIMULATIONS

Phishing simulations are used to train corporate users to
detect and report malicious content. The following shows
categories and senders that produce the most failed
35%
HR or Finance, simulations. A user fails a simulation if they open a simulation
31% email and click on the link or attachment inside.
30% E-commerce,
27% Data shows that corporate-based communication are the
most effective for both threat actors and simulations, which
25%
are why BEC attacks pose such a significant risk.

20% Seasonal, 18% HR or Finance: Related to HR or pay related matters

Internal Internal Communications: Non-HR or pay related emails

15%
Comms, 13% from within the organization
IT, 10%
10% E-commerce: Shipping info, purchase confirmations, etc.

5% IT: Password reset, compromised accounts

Seasonal: Greeting cards, for example

0%
 PHISHING INCIDENT RESPONSE

EMAILS REPORTED BY CORPORATE USERS

Simulation
5% In 2018, we analyzed millions of suspicious emails reported by
corporate users. The ratios are consistent with what
corporate SOC teams face. A well-tuned team is equipped
with the ability to scale and handle all reported threats, even
Do Not
if the majority are not malicious. Our experts categorize
Engage reported emails as:
36%
Malicious: Confirmed phishing attacks.

Do Not Engage: While not explicitly malicious, these have

enough inherent risk within them to justify an extreme level
of caution in any further interaction (pharmaceutical or
dating spam, shock content, etc.).
No Threat
Detected
53% No Threat Detected: Non-malicious email (mostly spam).

Simulation: Emails that simulate phishing attacks, used as

part of anti-phishing training programs.
Malicious
6%
 PHISHING INCIDENT RESPONSE

MALICIOUS EMAILS THAT REACH USERS

CREDENTIAL THEFT Email Scams MALWARE DELIVERY

98% of phishing emails that reached
users did not contain or link to malware.

This suggests that email security technologies are good

at detecting malware, but struggle to identify social
engineering and credential theft phishing. Attacks
using these methods are likely to reach user inboxes
undetected.

Internalized BEC Attacks

DocuPhish attacks are on the rise, and user credentials
are the goal. Once taking over an email account, the Phishing Site 88% 419 Scam 83% Crimeware 78%
threat actor can use the victim’s account to send even
more compelling attacks to trick more users into being
Docuphish 12% BEC 13% Ransomware 11%
compromised.

A Closer Look Job Scam 3% RAT 11%

Most credential theft is achieved using phishing-based
links (88%). 419 (Nigerian prince) scams are still the most Tech Support 1%
prevalent form of social engineering (84%). Malware is
still a highly diverse attack vector.
 MOBILE PHISHING TRENDS

RISE IN SMS PHISHING ATTACKS

ADVANTAGES FOR THREAT ACTORS

In 2018, we observed a significant rise in SMS

phishing, particularly targeting the financial industry.

Most people open and read SMS messages reflexively,

and don’t expect to receive malicious messages.

SMS phish are much more difficult for the security

community to track and respond to than traditional
phishing attacks.

Mobile-specific phish kits accurately mimic login screens

of legitimate mobile apps. In many cases, these kits
contain files for both mobile and desktop phishing sites.
 MOBILE PHISHING TRENDS

MOBILE BANKING TROJANS

As recently as 2012, over 80% of people accessed the
internet using Windows machines. But by 2018 well
over half of Internet traffic was accounted for by
mobile devices, and Android held the top spot at
around 40% of global Internet traffic.

This change in browsing behaviors has led to a

predictable adjustment in threat actor tactics over the
past few years, as they have increasingly focused on
attacking mobile (and specifically Android) devices.
Most commonly, credential theft has been the
primary motivation for mobile attacks.

After the number of active mobile malware families

exploded in 2017, mobile threats remained a serious
concern last year. The most prevalent mobile trojans
in 2018 were BankBot, Red Alert 2.0, and Marcher.
 MOBILE BANKING TROJANS

MARCHER

First released into the wild in 2013, Marcher has consistently

REDACTED been among the most widespread mobile malware families,
with new variants being released all the time. The Marcher
kit is available for purchase through dark web markets, and
includes pre-made web pages that imitate the login pages
of popular mobile apps.

Early samples of Marcher exclusively targeted the Google

Play Store, however targeting quickly expanded to include
financial institutions, social media, e-commerce and auction
sites, payment services, and Android utilities across the
02
Americas, Europe, and Australia. Marcher variants have been
observed impersonating many popular apps, including
Adobe Flash Player and Super Mario Run.
04
Read More

06
 MOBILE BANKING TROJANS

BANKBOT ANUBIS

First surfacing in 2017 when its source code was leaked

online, BankBot has become one of the most REDACTED
widespread banking trojans with hundreds of variants
observed in the wild. BankBot variants have infiltrated

01
the official Google Play Store on several occasions.

In March 2018, a new variant of BankBot — dubbed

BankBot Anubis — was identified by PhishLabs
analysts. BankBot Anubis has been observed
impersonating more than 275 unique applications from
organizations across the globe. 02

BankBot Anubis incorporates a wide range of malicious

functionality, including ransomware, keylogging,
remote access, SMS interception, call forwarding, and 04
overlaying lock screens to steal credentials.

Read More
06
 MOBILE BANKING TROJANS

RED ALERT 2.0

A mobile banking trojan first observed in

mid-2017, Red Alert 2.0 was noteworthy
because it did not seem to be based on
leaked code from a previous malware

01
family. This is unusual because few threat
groups possess the skills necessary to
develop complex malware from scratch.

Red Alert 2.0 can infect any Android device

running a version up to 6.0. This is in
contrast to many other mobile malware
families, which only function on older, 02
unsupported versions of Android. Red Alert
2.0 is in active development, and has been
observed targeting more than 120 financial
institutions globally. 04

Read More
06
Via @CryptoInsane
KEY TAKEAWAYS MANY VARIABLES, ONE CONSTANT
FROM 2018
In 2018 we observed a continued willingness on the part of
• Total phishing volume rose significantly threat actors to adapt to new opportunities — free hosts and
(40.9%) domains, SSL certificates, and SMS phishing to name a few.
• Financial, email, cloud, payment, and
SaaS credentials were prime targets But while tactics evolve, one thing remains the same:
(83.9% of attacks)

• Far more attacks used free hosting and Phishing still works.
domains than in prior years (2x growth)
Simply defined, phishing is social engineering via digital means.
• Attackers continue to use free SSL
And with our increasing reliance on a variety of digital channels
certificates to be more effective (nearly
50% of attacks) in our everyday lives, phishing is easily the most versatile and
low cost weapon in an attacker’s arsenal.
• Corporate users are most susceptible to
Finance/HR and Ecommerce email lures
(31% and 27% click rates) Novice cybercriminals use phishing to steal credentials and
distribute ransomware. Organized gangs use it to carry out
• Nearly half (42%) of emails reported by
financial fraud and steal millions of dollars. Nation-state actors
corporate users pose some risk.
use it to gain strategic access to target environments.
• The vast majority (98%) of malicious
emails that reach corporate inboxes
contain no malware To protect the enterprise, it is essential to defend against
phishing attacks across email, web, social media, SMS, mobile
apps, and other digital channels.
Thank you for reading the 2019 Phishing Trends and Intelligence Report.
We hope you found the information useful.

If you would like to discuss the report, contact us at [email protected].

To learn more about PhishLabs and how we help enterprises protect

their employees, customers, and brands against social engineering, visit
www.phishlabs.com.

For more research and commentary, sign up for our blog at

blog.phishlabs.com.

You can also follow us on social media:

 @phishlabs
 www.linkedin.com/company/phishlabs
 www.facebook.com/PhishLabs/