Phishing has emerged as one of the most dangerous types of security threats for businesses, with phishing attacks growing in the second quarter of this year, especially against software-as-a-service and webmail services. That’s according to a recent report by the Anti-Phishing Working Group (APWG), a nonprofit industry association that fights phishing, crimeware and e-mail spoofing.
The APWG defines phishing as “a criminal mechanism employing both social engineering and technical subterfuge” to steal data on personal identities or financial credentials. The APWG tracks the number of unique phishing Web sites as a primary measure of phishing volumes across the globe. A single phishing site may be advertised as thousands of customized URLs, but they often lead back to the same attack destination.
The total number of phishing sites detected by the APWG in the second quarter was 182,465 – up slightly from the 180,768 sites in 1Q-2019, and up notably from the 138,328 in 4Q-2018. A total of 341 brands were targeted by phishing campaigns in April, compared to 308 in May and 289 in June.
Social engineering schemes often use spoofed e-mails that claim to be from legitimate businesses. The emails are designed to lead recipients to counterfeit Web sites that trick people into giving away financial data such as usernames and passwords. Other types of phishing attack vectors can include social media posts, fake banner ads, browser extensions or plug-ins.
Companies should update staff trainings and deploy real-time threat intelligence systems to guard against the growing identity theft technique known as “business e-mail compromises,” or BECs. In a BEC attack, the scammer targets employees who have access to company finances, usually by sending them emails from fake or compromised email accounts, which is known as a spear-phishing attack.
SaaS and webmail sites remained the biggest phishing targets in the second quarter. Phishers harvest credentials to those types of sites and then use them to perpetrate BEC attacks and to penetrate corporate SaaS accounts.
BEC scammers are not picky. They are known to target both large and small companies, causing aggregate losses in the billions of dollars. The bad guys usually impersonate a company employee or other trusted party to fool an unwitting co-worker into sending money such as a wire transfer to a bank account controlled by the criminal. Sometimes these attacks may also involve malware.
Before launching a spear-phishing attack, some sneaky attackers will spend weeks silently surfing around a compromised organization’s network to study the organization’s vendors, billing system, and even the CEO’s style of communication.