It’s 2018, and most consumers have gotten pretty wise about common types of phishing scams. Even still, a 2015 McAfee survey found that 97 percent of consumers were unable to correctly identify phishing emails, meaning we may be wise about what phishing emails are, but we’re still pretty bad about avoiding them in practice.
That said, fewer internet users than ever are clicking on suspicious email links or falling for fake websites. Online criminals remain both creative and persistent, meaning phishing scams are still prevalent. One key trend has many of us worried: phishing sites using https-secured addresses. Multiple reports from security researchers indicate scammers are turning to HTTPS to “legitimize” their phishing attempts.
Data from 2017 and 2018 reveals that phishing scams remain effective tools for criminals to steal data and money, especially from businesses.
This is not to say there’s no good news. According to internet security company Cofense (formerly Phishme), organizational susceptibility rates went down by 2 percent between 2016 and 2017, to 10.8 percent.
Even as phishing scam numbers go down in different areas, such scams are still lucrative for online criminals. Many scam artists are changing up who and how they target, such as an increasingly troublesome and annoying trend toward more phone scams (also known as voice phishing or vishing).
Let’s explore what the numbers looked like for 2017-2018.
- 1 2017-2018 phishing: the big picture
- 2 2017-2018 phishing impacts on businesses
- 3 Are US consumers really less aware of phishing scams?
2017-2018 phishing: the big picture
More of us are aware of phishing, but it’s not a problem that’s simply going away. As long as enough people fall for phishing, it will persist. Data from 2017 reveals phishing is on the decline, at least in some ways, but the numbers are still high and still scary. Scam artists continue to hone their skills of behavioral manipulation, persuading unwary consumers and business employees to click on phishing emails, links, and web pages:
As of 2015, 97 percent of consumers could not correctly identify phishing scam emails. The McAfee survey had 19,000 respondents from around the world, highlight the global impact of phishing scam emails in general. (Source: McAfee)
- Unexpectedly, those 55 or older are more likely to know what phishing is over their younger peers aged 18-29. 71 percent of those 55 or older effectively identified what phishing is, as opposed to 61 percent for the other age group. (Source: Wombat Security)
- Germans and UK residents were also more likely to successfully define phishing versus their US counterparts. Over 70 percent of Germans and UK residents could define phishing correctly, versus just 61 percent of US respondents. (Source: Wombat Security)
- According to Kaspersky, phishing scam artists are increasingly using sites with SSL encryption. This presents a problem for consumers, as SSL encryption has traditionally been one way to determine whether a website is trustworthy or not. (Source: Kaspersky)
- Kaspersky also noted that the US remained the top source of spam worldwide, with over 13 percent of all spam originating in the US. China was the second highest distributor of spam, producing over 11 percent of spam. (Source: Kaspersky)
- Kaspersky’s Anti-Phishing system was triggered 246,231,645 times in 2017. The security company states over 91 million more phishing system triggers were set off in 2017 over 2016. (Source: Kaspersky)
- According to Kaspersky, Brazilians were the most under-attack users by phishing scams in 2017. Phishing attacks triggered 29 percent of Kaspersky’s Anti-Phishing system users in Brazil. The US, UK, and Germany did not make Kaspersky’s top 10 list, while Australia (22.5 percent) and China (19 percent) made the top 3 just under Brazil. (Source: Kaspersky)
- PhishingLabs’ data somewhat contradicts Kaspersky’s data. PhishingLabs states more than 86 percent of all phishing attacks against institutions were against institutions in the US. (Source: PhishingLabs)
- Some countries experienced declines in phishing attack volumes in 2017. Those include, but are not limited to, the UK (42 percent decrease), France (50 percent decrease), Italy (77 percent decrease), and Canada (17 percent decrease).
- Overall, Kaspersky found the total volume of “malicious spam messages in 2017 fell 1.6-fold against 2016”. (Source: Kaspersky)
- However, APWG found that the number of unique phishing sites rose 46 percent in 1Q 2018 compared to 1Q 2017. (Source: APWG)
- In its Q4 2017 report, the Anti-Phishing Working Group (APWG) highlighted the “Payment” industry as the most targeted sector during that time. 42 percent of phishing attempts targeted that industry. (Source: APWG)
- In Q1 2018, APWG found the « payment » sector was still the most targeted. (Source: APWG)
- Many phishing sites are « one-time-use » URLs, created automatically by phishing scammers to allow one-time use by victims. (Source: APWG)
- Despite its growing concern, most consumers still don’t know what text message phishing, or smishing, actually is. 67 percent provided no guess as to what it is, while just 16 percent answered correctly. (Source: Wombat Security)
- In its 2018 report, PhishingLabs found “email and online services” were the primary target of phishing attempts over financial institutions. That company’s data shows “email and online services” represented 26 percent of all phishing attacks, compared to 21 percent for financial institutions. (Source: PhishingLabs)
- Coinciding with Kaspersky’s report, APWG saw a huge increase in 2017 for the number of phishing sites using HTTPS. In Q4 2017, over 30 percent of phishing sites used HTTPS. (Source: APWG)
- The number of phishing sites using HTTPS rose again in 1Q 2018.
- (Source: APWG)
- The number of phishing sites using free hosting services has increased over the past few years. The most popular of these, 000Webhost, hosted over 30 percent of all phishing sites in 2017. (Source: PhishingLabs)
- According to PhishingLabs, 56 percent of phishing sites are hosted in the US. India and South Africa also saw sharp increases in the number of sites hosted in those countries, at 121 percent and 110 percent, respectively. (Source: PhishingLabs)
- More phishing sites than ever are using Top-Level Domains (TLDs) to host their sites. The most common TLD used by phishing sites was “.com”, at 49 percent of all phishing sites. (Source: PhishingLabs)
- One of the newest mobile phishing threats identified by PhishingLabs is “URL padding”, where phishing scams will create a real-looking URL but take advantage of the limited URL cut-off that often occurs with mobile sites. Users are unable to see the entire URL, making it ehttpsasier for them to fall for fake URLs. (Source: PhishingLabs)
- GoDaddy was the number 1 registrar of phishing domains in 1Q 2018. (Source: APWG)
2017-2018 phishing impacts on businesses
Businesses and their employees are a primary focus for phishing scammers. This is often because the types of scams that can be inserted into a business email server can result in more emotional manipulation.
And indeed, what’s happening with phishing attacks against both consumers and businesses is a what’s known as social engineering. Phishing attempts work toward 4 appeals: fear, greed, obedience, and helpfulness. Especially as it applies to business employees, it’s easy to imagine how an employee might be manipulated into clicking on a phishing attack utilizing any of these appeals.
For example, a phishing email scam warning an employee about an open enrollment deadline for healthcare could lure in enough clicks do to reasonable damage. Employees may feel both the fear of missing the deadline and the need to obey the command to sign up before the deadline has passed, potentially clicking on the link and entering personal information or downloading malware before realizing the mistake.
Although most business-focused phishing attempts fail, those that do work can be costly.
- According to Cofense, entertainment, social media, and rewards/recognition were the largest motivators for successful phishing attempts against business employees. (Source: Cofense)
- Of the “entertainment”-, “social”- and “rewards”-based phishing emails targeted at businesses, holiday ecards account for nearly 25 percent of all phishing scenarios that worked. (Source: Cofense)
- “Fear”, “urgency”, and “curiosity”-related phishing scams were primarily populated by “State Bar Association: Grievance Filed” phishing attempts with over 44 percent for those emotional manipulation categories. (Source: Cofense)
- “Employee benefits” emails were also good phish bait for employees, as such emails had a 39.2 percent “take” rate. (Source: Cofense)
- And what might be considered egg on the faces of business employees everywhere, “Mold Found in Office!” had a 24.1 percent “take” rate. It appears those that do receive such links are fairly concerned about moldy office spaces. (Source: Cofense)
- In 2017, 76 percent of organizations stated they received phishing attempts. 81 percent claimed they received such attempts in the Q1 2017. (Source: Wombat Security)
- 45 percent of organizations said phishing attempts came through phone calls (vishing) or text messages (smishing). (Source: Wombat Security)
- Spear phishing attempts appear to have declined 16 percent from 2016 to 2017, but 53 percent of infosec professionals stated they still experienced them. (Source: Wombat Security)
- A bit of good news: Wombat Security found average click rates on phishing emails went down in 2017. (Source: Wombat Security)
- Certain phishing templates still have very high interaction rates. Wombat Security found “Online Shopping Security Updates” and “Corporate Voicemail from Unknown Caller” each had 86 percent interaction rates, while Corporate Email Improvements had 89 percent interaction rates. Wombat Security notes that Database Password Reset Alerts and Update Building Evacuation Plan templates had nearly 100 percent interaction rates. (Source: Wombat Security)
- Adobe Flash, Adobe PDF, Java, and Microsoft Silverlight continue to be huge attack vectors for phishing scams. Scams often target individuals with fake updates, compounding the vulnerability risk. (Source: Wombat Security)
- In 2017, malware infections were the most common result of successful phishing attacks against businesses, with infosec professionals reporting a rate of 49 percent of successful phishing attacks resulting in malware infections. (Source: Wombat Security)
- 38 percent of successful phishing attacks against businesses resulted in compromised accounts. (Source: Wombat Security)
- Many infosec professionals reported “loss of time”, “loss of money”, “business interruption”, and “greater burden on IT/increased helpdesk calls” as the worst impacts from phishing. (Source: Wombat Security)
- Most businesses (64 percent) measure the cost of phishing through the loss of productivity for employees. (Source: Wombat Security)
- 97 percent of businesses use email/spam filters to block phishing attempts. (Source: Wombat Security)
- More businesses than ever are trying to protect themselves against phishing. 76 percent of businesses reported that they measure their susceptibility to phishing attempts in 2017, up from 61 percent who made that claim in 2014. (Source: Wombat Security)
- Employee training against phishing has also hit an all-time high, with 95 percent of businesses reporting that they now train employees to identify and avoid phishing attacks. Wombat Security)
- Are there consequences from employers for clicking on phishing emails? 45 percent of businesses reported they have consequences in place. 74 percent state consequences involve counseling from a manager, while 25 percent reported removal of access to systems. 11 percent report terminating employees who click on phishing attacks, while just 5 percent reported imposing monetary penalties. (Source: Wombat Security)
- US businesses are the most targeted by phishing attacks, with 57 percent of US businesses reporting attempts in 2017. (Source: Wombat Security)
- US businesses are more likely than those in the UK to assess susceptibility. 86 percent of US organizations make such assessments, versus 53 percent of UK organizations. (Source: Wombat Security)
- Trend Micro expects Business Email Compromise (BEC) attacks (phishing) to result in $9 billion of losses for businesses in 2018. (Source: Trend Micro)
- According to Internet Crime Complaint Center data, the most common malicious file attachments in phishing emails were: purchase orders, payments, invoices, and receipts.
- Trend Micro confirmed many phishing attempts against businesses that involve look-alike domains often swap easily-confused letters, such as “u” and “v” or “t” and “f”. Replacing lowercase or uppercase “i” with lowercase “l” is a common gimmick as well. (Source: Trend Micro)
- Spam emails are usually pretty small. Around 40 percent of spam emails were only 2 KB in size. (Source: Kaspersky)
- Trojan-Downloader.JS.Sload was the most commonly-found malware located in phishing emails. (Source: Kaspersky)
- Facebook, Microsoft, and PayPal were the top 3 organizations whose names were used in phishing attempts in 2017, according to Kaspersky. The numbers are as follows: Facebook: 7.97 percent; Microsoft: 5.57 percent; PayPal: 4.50 percent. (Source: Kaspersky)
- Phishing scams leading to banking-related sites were the largest in 2017, with 27 percent of phishing scams directing victims toward sites related to banking of some kind. “Payment systems” (16 percent) and “Global internet portals” (13.5 percent) took the next top spots. (Source: Kaspersky)
- PhishingLabs found attacks against SaaS (Software as a Service) companies grew dramatically. The service recorded a 237 percent increase in phishing attacks against the SaaS industry. (Source: PhishingLabs)
- Social media also saw a huge increase in phishing attacks, with a 190 percent increase. (Source: PhishingLabs)
- Positively, government services saw a 70 percent decrease in phishing attacks. (Source: PhishingLabs)
Are US consumers really less aware of phishing scams?
If you followed along earlier, this fact obtained via Wombat Security may have stood out to you:
“Germans and UK residents were also more likely to successfully define phishing versus their US counterparts. Over 70 percent of Germans and UK residents could define phishing correctly, versus just 61 percent of US respondents.”
Survey data is not always accurate, and it’s unclear how Wombat Security actually phrased their question. While there may be some truth to Wombat Security’s claims, how consumers are searching online may at least offer more clarity regarding Americans’ lack of knowledge of and/or interest in phishing scams.
US phishing search trends
Google trends data appears to back up Wombat Security’s survey data, at least to some degree. Based on search volumes available through Google Trends, there’s a chance US residents may be either unfamiliar with the term “phishing” or don’t care enough about the issue — at least, not enough to investigate it further. If US consumers are getting more aware of phishing as a concept, there’s little search data to show for it. While it may be true that US internet users are, in general, getting better at being more cautious about what they click on, Google Trends data reveals very little change in at least the past 10 years in how many people in the US use the search term “phishing”.
Fourteen years of Google Trends data reveals search volumes have gone down overall since heavy interest existed in the early 2000s. There has been a slight uptick in interest recently, but more time may be needed to see if that levels off toward the average from the past decade.
There is one exception in the data, however:
On May 3, 2017, Google’s US search volume for “phishing” literally exploded with a volume spike for the term that had never been experienced in 14 years of search data.
The cause? A phishing scam that targeted people using Google’s widely-used Gmail service. So many news outlets in the country reported on the scam that interest in phishing not only reached the highest point in 5 years in the US, it hit a high point in all of Google’s search history for the term.
This reflects some interesting possibilities for US consumers and their interest in phishing. First, it could be that many consumers in the US may already know about phishing, so they’re just not searching for it. And of course, there’s the chance that many US consumers aren’t aware of phishing at all, which would correlate with the Wombat Security survey data.
However, it’s possible that many consumers don’t specifically know the term “phishing,” and instead utilize different terminology than those of us in IT and journalism.
Take vishing, or voice phishing, for example. These types of scams are increasing dramatically in the US as the National Do Not Call Registry continues to prove woefully ineffective. The US government may have broken up a major IRS phone scam this year, but it’s barely put a dent in roughly 82 million robocalls per day American consumers now receive.
To be fair to consumers, most phishing attempts target businesses, so fewer consumers are going to be using Google to search for the term. It’s also possible many consumers are completely unaffected by phishing attempts, especially thanks to effective spam filters in email services and anti-phishing software included with most antivirus software programs. (That said, Slice Intelligence reports that the year-over-year sales of AV software in the US were down 38.7 percent.)
Nevertheless, other terms associated with phishing do show increasing search volumes in the US. The two that come to mind? “Phone scams” (sometimes referred to as vishing) and “text scams” (for text message or SMS scams, sometimes referred to as smishing).
While more people are interested in text message scams than they were 14 years ago, phone scams have significantly taken off in search volume interest. It appears this was especially the case in 2014. That spike you see in Google’s search volume data for “phone scams” is from February 2014, when news outlets across the US began reporting on a major phone scam to hit consumers: the “One-Ring Phone Scam”.
That scam worked by calling a victim just long enough to let the “missed call” message appear on the phone. If a user called back, he or she would be connected to an adult entertainment service that charged the user’s account a $19.95 international call fee, or at times a smaller fee that the scammers hoped would go unnoticed on the victim’s phone bill.
Are Americans truly less aware of what phishing is? Maybe. But there’s also a good chance that US consumers simply use different terminology when talking about the types of scams associated with phishing. It may also be possible that tools such as email filters and AV software have helped reduce the actual impact to consumers enough to the point where the impact of phishing scams have been more muted than in other locations.
After all, US internet users certainly know what “email scams” and “phone scams” are. Even still, when compared to “phone scams”, “text scams” and “email scams”, the term “phishing” represents a far larger volume of searches in the US, indicating that US consumers aren’t completely ignorant of the concept and its many forms.
Worldwide “phishing” search trends
Google Trends offers a comparative look across countries for search volumes. By not weighing each country based on the exact number of users searching for a term, and instead using a more volume-based comparison, it’s possible to see how countries compare in search volumes more accurately without giving preference to those countries that simply have a larger number of internet users.
The search traffic is a bit telling.
For “phishing” alone, the UK received a score of 71, compared to that of 52 in the United States. Although it’s an English word, countries where English is not the primary language actually topped Google’s search volume data for “phishing”.
In the UK, search interest for the term “phishing” has grown over the past 14 years of Google search data, indicating that there is at least a growing interest in phishing in that country as it relates to the specific use of the word. That may mean many things, including the possibility that UK residents are more familiar with the term and comfortable using the word “phishing” over other, related concepts, such as “email scam” or “phone scam”.
In fact, in the UK, there’s a much larger difference in search volume between the three terms than when compared to the US.
As it relates to overall volume and trends between the two nations, it appears that there’s growing search interest in the past few years for both “email scams”. The volume of searches for “phone scams” in both the US and the UK is also growing. However, US consumers appear to be more concerned with phone scams, while UK consumers are more concerned over email scams.
Between the two countries, however, it does appear that more UK residents are at least familiar enough and concerned enough with “phishing” to look up the term online.