The Latest in Phishing: May 2019

The Latest in Phishing: May 2019

Share with your network!

We bring you the latest in phishing statistics and attacks from the wild.

$1.2B Lost to Business Email Compromise and Email Account Compromise

Phishing and other email-based attacks were top concerns in the latest 2018 Internet Crime Report, recently issued by the U.S. Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3). Last year, the IC3 received 20,373 complaints of business email compromise (BEC) and email account compromise (EAC), with adjusted losses of more than $1.2 billion. The report notes that these attacks have grown increasingly sophisticated in recent years.

The IC3 report also noted that there were 26,379 victims of “phishing/vishing/smishing/pharming” in 2018, accounting for $48,241,748 in losses. Phishing is the initial attack vector in payroll diversion, another scam highlighted in the report. In these instances, cyber criminals use phishing emails to capture employees’ login credentials and gain access to their payroll accounts.

From there, the criminal “will typically add rules to the employee’s account preventing the employee from receiving alerts regarding direct deposit changes. The cybercriminal will then change the direct deposit information, redirecting the payroll funds to an account controlled by the cybercriminal, which is often a prepaid card.”

The IC3 reported roughly 100 complaints of payroll diversion in 2018, with combined losses of $100M. Education, healthcare, and commercial airway transportation were most frequently affected by this scam.

Note: The latest report reflects only the complaints filed directly with the IC3. It’s likely that these types of attacks and fraud are underreported and are far more common than the IC3’s numbers indicate.

Phishing Statistics and News

Attackers Targeting Shared Email Aliases 

Proofpoint’s latest Protecting People: A Quarterly Analysis of Highly Targeted Attacks analyzes the most highly targeted attacks against Fortune Global 500 customers. This installment of the latest quarterly report is based on data gathered between October and December 2018.

Proofpoint researchers found that nearly 30% of the most targeted malware and phishing attacks were directed at generic email accounts, which are typically shared by two or more employees within an organization. Generic addresses like “” can be valuable to attackers for three main reasons: 

  1. They reach multiple targets. 
  1. They are easy to obtain, as they are often public-facing. 
  1. They are harder to protect—multifactor authentication, for instance, doesn’t work well with email addresses shared among several colleagues. 

For more statistics and news, view a summary infographic and download the full report in our resource center.

SaaS and Webmail Services Under Attack

The latest Phishing Activity Trends Report from the Anti-Phishing Working Group (APWG) found that the number of unique phishing reports and phishing websites detected were slightly lower in Q4 2018 than in the rest of 2018. This drop could be an indication that threat actors are shifting targets and techniques. For example, the APWG notes that phishing sites have become harder to detect because attackers are increasingly obfuscating phishing URLs with multiple redirectors.

Here are a few additional statistics:

  • SaaS and webmail services were the most attacked sector in Q4 at 29.8% of all attacks, up from 20.1% in Q3—a percent increase of 48%.
  • Attacks against cloud storage and file hosting sites dropped in comparison to 2018, from 11.3% of all attacks in Q1 to just 4% in Q4.
  • In Q4, the number of phishing sites using HTTPS encryption fell slightly for the first time since the APWG began tracking this metric, but the larger trend continued, with nearly half of all phishing sites using HTTPS encryption.

Phishing Attacks

OneDrive Phishing on the Rise

Proofpoint researchers have identified a trending phishing threat in which fraudulent emails invite recipients to view or download a document in Microsoft OneDrive. The links in these emails take users to authentic-looking (but fake) OneDrive login pages designed to steal their credentials—part of a growing trend of credential compromise attacks. This OneDrive phishing campaign is affecting numerous industries and can target any individual within an organization.

The February installment of our latest Attack Spotlight series provides free security awareness resources you can immediately share with your end users to help them avoid this and other credential compromise attacks.

Seasonal Tax-Themed Phishing Campaigns

As in years past, 2019 saw an expected seasonal increase in tax-themed campaigns in the run-up to the U.S. tax deadline. The phishing campaigns observed by Proofpoint researchers impersonated official tax authorities from around the world, including the U.S. Internal Revenue Service, Canada Revenue Agency, and the New Zealand Inland Revenue Department, among others. A blog post by the Proofpoint Threat Insight Team offers numerous examples of these phishing emails and fake login pages, which can appear quite convincing.

According to the blog, “actors utilized social engineering techniques in subject lines, spoofed emails addresses, and ‘decoy’ links that led to the websites of legitimate government tax offices, many of which were outside of the U.S. In fact, the campaigns we tracked spanned a range of geographies, demonstrating the effectiveness of tax themes as nearly universal lures.”

Fake Job Offers Deliver Malware

Too-good-to-be-true offers should raise anyone’s suspicions. But what about a seemingly reasonable contact from a recruiter? A recent blog post by the Proofpoint Threat Insight Team explored a social engineering scheme in which phishing attackers impersonate legitimate staffing companies. Scammers initially attempt to establish rapport with potential victims by abusing LinkedIn’s direct messaging service. They then use direct follow-up emails, fake websites, and malicious attachments to distribute malware.

This campaign is part of a trend toward “increasingly sophisticated social engineering and stealthy malware,” according to the blog. “This actor provides compelling examples of these new approaches, using LinkedIn scraping, multi-vector and multistep contacts with recipients, personalized lures, and varied attack techniques to distribute the More_eggs downloader, which in turn can distribute the malware of their choice based on system profiles transmitted to the threat actor.”