Phishing Scams Increased in 2015
According to the APWG’s Phishing Activity Trends Report, the number of phishing attacks increased over the first three quarters of 2015.
Internet Service Providers (ISPs) are the most-targeted industry, while the payment and financial services sectors followed closely behind. ISPs are attractive because cybercriminals can use these accounts to send spam, which allows them to advertise more phishing sites. ISP accounts may also contain personally identifiable information, credit card details and access to domain names and hosting management credentials, which are attractive to phishers.
According to the report, nearly one-third of computers throughout the world are infected with malware. During the first quarter of the year, 36.51% of computers were infected; 32.21% in second quarter and 32.12% during the third quarter. European countries had the lowest infection rates while Latin American and Asian countries posted the highest rates.
Wire fraud scams, known as “Business Email Compromise” or “BEC” scams, also intensified in 2015. These use “spear-phishing” methods to target key employees, such as comptrollers and treasury managers, and trick them into transferring large amounts of money into criminal bank accounts. The FBI reported a 270% increase in global losses from BEC scams this year.
“BEC scams seek to socially engineer the employees of a business,” said Carl Leonard, Principal Security Analyst at APWG member Raytheon|Websense. “The attacks use a form of spear-phishing, and initial attacks sent the spear-phishing emails from free domain names that closely resembled the victim company’s domain name. Later attacks used a forged “from” address that matched the victim’s domain. We strongly encourage that businesses educate their employees about the dangers of these scams and implement technologies that intercept the incoming emails.”
Luis Corrons, PandaLabs Technical Director and Trends Report contributing analyst, said companies need to be vigilant, as it is getting more difficult to distinguish phishing attempts from legitimate workplace communications.
“Spear phishing campaigns are growing, all of them with the same goal: set a foot on corporate networks to perpetrate large attacks to steal all kind of financial and confidential information. New approaches are needed, such as having advanced threat detection capabilities.”
“All types and sizes of companies are vulnerable to BEC scams. I’ve seen companies with under ten employees being targeted,” APWG Senior Research Fellow Greg Aaron noted. “All businesses should therefore assume that they have been researched by a criminal who has determined the names and email addresses of the employees who can authorize and execute wire transfers. Businesses can also protect themselves by allowing bank transfers only after multiple internal approvals.”