In the field of cybercrime, one of the oldest and simplest, and still one of the most effective, cyberattack methods is phishing: i.e., engaging in fraudulent solicitations via emails or websites to acquire access to victims’ computers and data. In 2020, the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) received 241,342 reports from victims of phishing and phishing variants – by far the largest number of victim reports filed with the IC3 in 2020.
On September 22, the APWG (formerly the Anti-Phishing Working Group) issued its Phishing Activity Trends Report for the second quarter of 2021. Key findings in the report included the following:
- General Phishing Trends: After approximately doubling from mid-2020 to mid-2021, the amount of phishing remained “at a steady but high level” in Q2 2021. APWG saw 222,127 attacks in June 2021, which was the third-worst month in APWG’s reporting history.
- Most Affected Sectors: Phishing cyberattackers most frequently victimized the financial institution and social media sectors in Q2 2101. The financial sector accounted for 29.2 percent of all attacks – a 30 percent increase from 22.5 percent of all attacks in 4Q 2020 – while the social media sector accounted for 14.8 percent and the payment sector for 12.2 percent of all 2Q 2020 attacks. Phishing against cryptocurrency targets, such as cryptocurrency exchanges and wallet providers, increased substantially in 2021, from just 2 percent of all attacks in Q1 2020 to 7.5 percent in Q2 2020.
- Business Email Compromise Schemes (BEC): A BEC can be defined as a response-based “spear phishing” attack that involves the impersonation of a trusted party (such as a company executive or vendor) to deceive a victim into conducting a financial transaction or sending sensitive materials. According to the APWG report, the average amount requested in wire transfer BEC attacks in Q2 2021 was $106,000 – a 140 percent increase from the average $75,000 in Q4 2020 BEC attacks. The APWG attributed this increase to “both a rise in high-dollar transfer requests (20 percent of attacks requested more than $100,000 in Q2 compared to just 10 percent in Q1), as well as a decrease in lower-dollar requests.”
- BEC Finance Attacks: In addition, there was a substantial resurgence in BEC attacks directed at payroll diversion in Q2 2021. 24 percent of all BEC attacks reportedly tried to divert employee payroll deposits. That percentage “surpassed wire transfer BEC attacks for the first time since September 2019.”
- Use of Encryption to Deceive Victims: In Q2 2021, 82 percent of phishing websites were protected by Secure Socket Layer encryption – only a slight decline from Q1 2021. Cyberattackers’ use of encryption technology is directed solely at making their sites appear more legitimate to prospective victims.
Information security and compliance officers in companies and government agencies should disseminate this APWG Report to appropriate members of their teams, and include selected data from the Report to other senior officials in their respective enterprises. At a time when many executives have asserted that the COVID-19 pandemic forced their organizations to bypass cybersecurity processes, it is important that Chief Information Security Officers keep them informed about key cybercrime trends and the need to bolster cyberdefenses.