Phishing attacks are on the rise, and show no signs of slowing down: Nearly 1.4 million new, unique phishing sites are created each month, according to the Webroot Quarterly Threat Trends Report, released Thursday. In May, this figure reached a high of 2.3 million sites created, the report found.
Phishing attacks—in which criminals send fraudulent emails that appear to be from a real contact or company to attempt to get the victim to share sensitive information—are the no. 1 cause of breaches worldwide, with an average of 46,000 new sites created each day. This year has seen unprecedented growth of these attacks, with the sheer volume of new sites making them difficult for businesses to defend against, the report noted.
Some 59% of hackers said that phishing was the best way to steal people's information, according to a recent Bitglass survey. Phishing scams cost American businesses $500 million per year, according to an FBI Public Service Announcement from May 2017. And phishing was found to be the cause of 90% of breaches and security incidents, Verizon found.
SEE: Information security incident reporting policy (Tech Pro Research)
Today's phishing attacks are highly targeted, sophisticated, and difficult to detect, making them increasingly hard to avoid. The phishing sites being built each day appear to be realistic, and are almost impossible to find using web crawlers, the report stated. And instead of randomly targeting large groups of people, hackers now use social engineering to individualize attacks.
Though the volume of phishing sites is incredibly dense, they tend to also be extremely short-lived: The majority of new phishing sites are online and active for only four to eight hours, according to Webroot. These sites are also designed to avoid detection by typical anti-phishing strategies such as block lists—even if those lists are updated hourly, they are usually three to five days out of date by the time they are made available. At that point, attackers may have already targeted users and disappeared, the report noted.
"Today's phishing attacks are incredibly sophisticated, with hackers obfuscating malicious URLs,
using psychology, and information gleaned from reconnaissance to get you to click on a link," said Hal Lonas, CTO of Webroot, in a press release. "Even savvy cybersecurity professionals can fall prey. Instead of blaming the victim, the industry needs to embrace a combination of user education and organizational protection with real-time intelligence to stay ahead of the ever-changing threat landscape."
Millions of zero-day websites used for phishing also rise each month. However, these sites tend to impersonate a small number of company. Financial institutions and tech companies are the most likely to be impersonated, Webroot found.
Here are the top 10 companies that phishing attackers impersonated in the first six months of 2017:
1. Google (35%)
2. Chase (15%)
3. Dropbox (13%)
4. PayPal (10%)
5. Facebook (7%)
6. Apple (6%)
7. Yahoo (4%)
8. Wells Fargo (4%)
9. Citi (3%)
10. Adobe (3%)
Users should be wary if they receive an email that appears to be from any of these sources that asks them to click on a link or download a file.
To learn more about how to best train your employees to avoid phishing attacks, click here.
Want to use this data in your next business presentation? Feel free to copy and paste these top takeaways into your next slideshow.
- Nearly 1.4 million new, unique phishing sites are created each month. -Webroot, 2017
- The majority of new phishing sites are online and active for only four to eight hours, and designed to avoid detection by typical anti-phishing strategies such as block lists. -Webroot, 2017
- Google, Chase, and Dropbox are the three companies that phishing attackers impersonated most often in the first half of 2017. -Webroot, 2017
- How to build a successful career in cybersecurity (free PDF) (TechRepublic)
- What is phishing? How to protect yourself from scam emails and more (ZDNet)
- Information Security Management Fundamentals (TechRepublic Academy)
- Phishing: These are the days of the week when you're most at risk (ZDNet)
- Want to improve cybersecurity? Try phishing your own employees (TechRepublic)
Alison DeNisco Rayome has nothing to disclose. She does not hold investments in the technology companies she covers.
Alison DeNisco Rayome is a Staff Writer for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.