The Latest in Phishing: March 2016

Share with your network!


We bring you the latest in phishing statistics and attacks from the wild.

Phishing Statistics and News:

  • The IRS has warned consumers that phishing attacks are surging, noting that there has been a 400% increase in phishing and malware incidents so far this tax season.
  • Financial Fraud Action UK reported several findings in a new report about phishing in the U.K.:
    • The number of phishing fraud victims rose by 21% in a year
    • Consumers lost £174.4 million, up 23% from the previous year
    • Savvy phishers are increasingly turning to social media to build a profile before they attack their victims
  • The 2016 State of the Phish report was released, detailing the results of millions of mock phishing attacks and a survey of Information Security professional. It has several key findings including:
    • How personalization affects open and click rates with end users
    • Average mock phishing click rates by industry
    • Most vulnerable and out-of-date plugins
  • Charges were filed in our home town of Pittsburgh against an Eastern European man who ran phishing schemes which stole about $25 million via wire transfers from various banks and businesses.
  • According to Webroot’s Threat Brief, the U.S. hosted 56% of phishing sites, down from 75% a year before. While phishing attacks overwhelmingly focus on the U.S., the shift indicates increasing interest in attacking other countries. Additionally, in the U.S. there are over 100,000 net new malicious IP addresses created, up from about 85,000 a day the previous year.
  • A new survey by Vancon Bourne reveals increasing worry among IT professionals about spear-phishing attacks. Almost three out of four IT pros feel that it poses a significant threat to their organization, and 42% noted it was among their top three concerns. More worryingly, respondents said that 28% of spear phishing attacks are getting through their security infrastructure.
  • A report by Easy Solutions noted attack strategies of phishers against financial institutions. The report found the average number of targets per attack was only 190 individuals, demonstrating the willingness of hackers to “smash and grab” by setting up malicious sites for a small and targeted group of victims. The full report is available for download but requires registration.
  • A 27-year-old CTO of cyber security company Praesidio demonstrated how LastPass users could be tricked into revealing their usernames and passwords via a spoofed pop-up web page like users would sometimes see when logging into third-party site. He gave LastPass several months notice before he presented the proof-of-concept. LastPass redesigned their pop-up window to make it harder to spoof but admitted that any service running within a web browser could be vulnerable to a phishing hack.


Increase your security response team's efficiency with PhishAlarm Analyzer


Phishing Attacks:

  • A Snapchat employee in the payroll department fell for a phishing attack, and ended up exposing information of several current and former employees. In response, Snapchat contacted affected employees and offered two years of identity-theft monitoring and insurance. Additionally, Snapchat says it has improved its security education efforts for employees.
  • Seagate suffered a similar incident to Snapchat, when an employee was tricked into giving away W-2 tax documents of all current and former U.S. employees. Seagate in response is offering affected employees “at least two-years membership to Experian’s ProtectMyID service, paid for by the company.”
  • Main Line Health hospital system suffered a breach after an employee exposed personal information of other employees due to a spear phishing attack. According to officials, no patient information was compromised due to the breach. Main Line Health responded by setting up a call center to “answer questions and provide information on how to monitor their financial accounts.”
  • Charles Harvey Eccleston, a former scientist at the U.S. Nuclear Regulatory Commission and Department of Energy, plead guilty to an attempted spear-phishing attack in January 2015. Before the attempted attack, Eccleston went to a foreign nation’s embassy and offered to sell a list of ~5,000 U.S. energy employee’s email addresses. The embassy official reported the incident to the FBI who sent a series of undercover agents to meet with Eccleston.
  • A growing number of incidents at hospitals across the country have revealed PHI, PII, and other sensitive information. According to this article, three recent incidents were caused by a phishing attack, unauthorized access to a database, and an improper mailing, revealing the cost of human error in breaches.