Q4 Phishing Report Shows Mixed Bag of Trends, a Need for Diverse Training
Though the Anti-Phishing Working Group’s (APWG’s) headline statement in its Q4 Phishing Activity Trends Report was about the record-shattering number of reported phishing attacks during 2016, there were also some interesting downward trends noted in the data.
2016 Was a Banner Year for Phishing Overall…
The more than 1.2 million phishing attacks recorded by the APWG in 2016 marked a 65% increase over 2015 and was well above any yearly totals recorded since the APWG began tracking phishing trends in 2004. The Q4 report noted the stark comparison in statistics from its rookie year: the 92,564 phishing attacks per month in the fourth quarter of 2016 was a 5,753% increase over the 1,609 average attacks per month in the fourth quarter of 2004.
Bottom line: 2016 — overall — was a story of increased volume for link-based phishing emails…
…But Q4 2016 Showed a Continued Trend of Fewer Attacks
It’s clear, when you dig into the quarterly APWG statistics from last year that the record breaking volume noted in 2016 was primarily due to five months — March through July — that marked a huge upward trend in reported phishing activity. Following that peak, volume fell off quite abruptly (and significantly).
The following table consolidates some key quarterly APWG statistics throughout 2016:
|Q1 2016||Q2 2016||Q3 2016||Q4 2016|
|Unique phishing websites detected||289,371||466,065||364,424||277,693|
|Unique phishing reports received||557,964||315,524||229,251||211,032|
|Average number of brands targeted by phishers per month||418||418||353||318|
|Average number of URLs per brand||230||371||343||282|
You’ll note from the statistics that, following the surges in Q1 and Q2, activity ebbed in Q3 (as echoed by our survey of infosec professionals for our 2017 State of the Phish™ Report). What’s interesting is that reported phishing scams fell off from Q3 to Q4 (though December 2016 did show a sizable uptick in reports received over October and November, likely due to attackers’ attempts to lure users into falling for holiday shopping scams).
Even more interesting? The Q4 metrics were lower than those logged in Q1 (outside of the average number of URLs per brand).
Get your copy of our 2017 State of the Phish Report
If Volume Is Lower, Risk Is Lower…Right? Not So Fast.
Though it’s nice to think that organizations are seeing a reprieve from the onslaught of Q2, that doesn’t mean that organizational risk is lower. Here’s why:
Attackers Are Getting More Sophisticated About Phishing
Cybercriminals have been learning from their experiences and are general getting less “buckshot” in their approach in favor of focusing their efforts on “surer things.” As the APWG noted in its Q4 report, “Phishers concentrated on fewer targets during the  holiday season, and hit fewer lower-yielding or experimental targets.”
Bottom line: Fewer phishing emails doesn’t necessarily translate into a lower payoff for attackers (or a lower risk for you).
Attackers Are Using Other Methods
Social engineering scams yield results in many arenas, not just email inboxes. We’ve long discussed the need for a security awareness training program to extend beyond the phish, and new insights included in the Q4 report from APWG member company Axur support this. As noted by Fabio Ramos, Axur’s CEO, “Criminals are re-inventing themselves all the time. We’ve seen a decrease in the numbers of regular phishing attacks, and an increase in other methods of fraud, such as malware fake services advertised through social media platforms.”
Case in point: Axur’s analysis of 2,000 fraud occurrences targeting Brazilian companies and individuals in Q4 2016 revealed 952 instances of social media scams and 318 mobile app scams — both of which topped the 304 incidents related to traditional phishing fraud. Ramos advised, “We believe that now, more than ever before, efforts should be aimed at reaching out and monitoring several different channels where the frauds can take place.”
Bottom line: Anti-phishing training is a great start, but it’s not the be all and end all of security awareness training.
Ransomware-Based Phishing Stats Aren’t Tracked by the APWG
Here’s how the APWG defines it’s methodology for logging phishing emails:
APWG tracks and reports the number of unique phishing reports (email campaigns) it receives, in addition to the number of unique phishing sites found. An e-mail campaign is a unique e-mail sent out to multiple users, directing them to a specific phishing web site (multiple campaigns may point to the same web site).
Based on this statement, it seems that the APWG is only logging link-based phishing attacks, not those tied to data entry forms or infected attachments. I did confirm with the organization that ransomware attacks are not included in their statistics. They indicated that, based on their methodology, they consider ransomware to be a malware attack, not a phishing attack; as such, ransomware is not counted in the APWG's reported phishing stats.
Given that ransomware is on the rise and is frequently delivered via phishing emails, the exclusion of these numbers is, in our opinion, a reason for the decline in the APWG's reported number of phishing attacks. As such, this doesn’t mean that phishing, on the whole, is declining. And, as we noted in a recent post, lack of security awareness training spells trouble for endpoint protection, particularly where ransomware is concerned.
Bottom line: Pay less attention to phishing trends, and more attention to end-user risk management.