The number of phishing attacks reached a record high in the first quarter of 2022, with the three-month total crossing the one million mark.
The Phishing Activity Trends report (PDF) by the Anti-Phishing Working Group (APWG) recorded 1,025,968 phishing attacks by March 2022.
This change was a 15% increase (137,383) from the 888,585 attacks recorded during the fourth quarter of 2021 (Q4 2021).
In March, the group recorded 384,291 attacks, 309,979 in February, and 331,698 attacks in January.
The latest phishing report noted that the number of phishing attempts had tripled since 2020, when APWG recorded between 68,000 and 94,000 attacks per month.
APWG observes phishing, social engineering, and other identity theft tactics reported by its members, researchers, and the public.
The group posited that the number of phishing attacks could represent the number of phishing sites recorded during the period. The reason is that phishing schemes could have thousands of URLs pointing to the same phishing page.
Financial sector was the most targeted by phishing attacks
The financial sector, which includes banks, accounts for the highest number of phishing attacks recorded, representing nearly a quarter or 23.6 percent of all attacks.
Webmail and Software-as-a-Service (SaaS) providers recorded the second-highest number of attacks (20.5%), followed by ecommerce/retail (14.7%), social media (12.5%), and cryptocurrency exchange and wallet providers (6.6%).
APWG also observed that phishing attacks against e-commerce sites and retailers reduced from 17% after the holiday shopping season, while social media attacks increased from 9%.
“Social media attacks against business continue to grow quickly,” John LaCour, Principal Product Strategist at PhishLabs by HelpSystems, said. “The average company is targeted nearly three times a day via social media.”
According to LaCour, impersonation attacks represented 47% of all social media attacks, up from 27% in the previous quarter.
“A lot of companies don’t realize that their executives are being spoofed on social media,” LaCour added. “This is a huge business risk.”
The report also found that threat actors targeted payment and logistics & shipping companies, accounting for 5.0% and 3.8% of phishing attacks, respectively.
Ransomware attacks decreased in early 2022
Email security company and APWG member Abnormal Security detected a 25% reduction in ransomware attacks. The decline affected all industries except the financial sector.
The report attributed the reduction in ransomware attacks to the attrition of Conti and Pysa ransomware gangs. The researchers suggested that law enforcement actions and infrastructure takedowns contributed to the decrease in ransomware attacks.
However, the financial services industry recorded a 35% increase in ransomware attacks in Q1 2022. Abnormal Security also found that the number of ransomware attacks targeting financial institutions increased by 75% in Q1 2022 compared to Q1 2021.
The report attributed the growth to increased targeting of the financial institutions by LockBit ransomware. Such attacks targeted “smaller accounting and insurance firms.”
According to the report, LockBit targeted victims large enough to pay the ransom, thus making the hacking effort worthwhile and ensuring the victims were not too large to be well defended.
Garret Grajek, CEO at YouAttest, noted that phishing attacks were the doorway to other cyber attacks, including ransomware.
“Phishing is the leading source of hacking access to enterprises,” Grajek said. “But what’s important to note – is that Phishing is just the first step to the cyber kill chain – e.g., a foothold onto a device that has access to the victim’s environment.”
Grajek posited that attackers could escalate privileges, move laterally, and maintain persistence while communicating with command-and-control (C2) servers to complete a data breach.
“The key is to stop the user early in the cycle – zero trust and strong identity governance are key security measures to stop the hacker from executing the malicious steps of the attack. Recognizing changes in identity and permissions are a vital way to recognize nefarious hacker activity,” Grajek said.
BEC attacks remained stable in Q1 2022 while average losses increased
In Q1 2022, APWG found that business email compromise (BEC) attacks remained steady, but the amount requested by scammers increased by over two-thirds.
Agari, an APWG member, classified BEC attacks as “response-based spear-phishing attacks,” impersonating a trusted individual to trick the victim into making a transaction or sending sensitive information.
Agari found that the average amount requested in wire transfers during BEC attacks increased from $50,027 in Q4 2021 to $84,512 in Q1 2022, representing a 69% increase.
The firm attributed the rise to a 280% increase in the amounts exceeding $100,000 requested by scammers.
Scammers prefer Gmail email services and Namecheap domain registration
The APWG member also found that 82% of BEC emails originated from free webmail accounts with Gmail.com accounting for 62% of all malicious emails. Microsoft and Verizon Media accounted for 20% and 10% of phishing emails.
The report also found that Namecheap domain registrar accounted for a third (33%) of BEC attack domains registered, followed by GoDaddy (13%), Google (12%), PublicDomainRegistry (5%), Hosting Concepts B.V. (5%), and 1&1 IONOS SE 4%.
However, most threat actor-controlled domains were registered with other domain registrars.
“In Q1 2022, 82% of Business Email Compromise messages were sent from free webmail accounts. Of those, 60 percent used Gmail.com,” John Wilson, Senior Fellow, Threat Research at HelpSystems, said. “For the 18% of BEC messages sent from attacker-controlled domains, Namecheap was the most popular registrar. One-third of all maliciously registered domains use for BEC attacks were registered via Namecheap.”
According to LaCour, credential theft phishing against enterprise users increased by 7%, making up to 59% of all malicious emails.
QBot was responsible for delivering nearly three-quarters (74.5%) of phishing emails to corporate inboxes, followed by Emotet (16.7%), and BazaLoader (3.9%).
Rajiv Pimplaskar, CEO of Dispersive Holdings, noted that phishing attacks could be a springboard for cyber warfare.
“With the increased involvement of nation-state actors and the cyber cold war intensifying, phishing is a key attack vector to establish backdoors and/or credential theft. Phishing is often used in conjunction with other forms of MITM or supply chain attacks to try and log in rather than hack into most conventional cyber defenses with relative ease.”
Pimplaskar advised businesses, especially critical infrastructure entities, to bolster their cyber defenses with military-grade solutions that offer improved protection.