The number of phishing attacks hit an all-time high in the first quarter of 2022, with the three-month total crossing the one million mark.
The Phishing Activity Trends report (PDF) from the Anti-Phishing Working Group (APWG) recorded 1,025,968 phishing attacks in March 2022.
This change represents a 15% increase (137,383) from the 888,585 attacks recorded in the fourth quarter of 2021 (Q4 2021).
In March, the group recorded 384,291 attacks, 309,979 in February and 331,698 attacks in January.
The latest phishing report noted that the number of phishing attempts had tripled since 2020, when the APWG recorded between 68,000 and 94,000 attacks per month.
The APWG observes phishing, social engineering, and other impersonation tactics reported by its members, researchers, and the public.
The group postulated that the number of phishing attacks could represent the number of phishing sites recorded during the period. This is because phishing schemes can have thousands of URLs pointing to the same phishing page.
The financial sector has been the most targeted by phishing attacks
The financial sector, which includes banks, accounts for the highest number of recorded phishing attacks, accounting for almost a quarter or 23.6% of all attacks.
Webmail and software-as-a-service (SaaS) providers recorded the second highest number of attacks (20.5%), followed by e-commerce/retail (14.7%), social media (12.5%), and cryptocurrency exchange and wallet providers (6.6%).
The APWG also observed that phishing attacks against e-commerce sites and retailers decreased by 17% after the holiday shopping season, while attacks on social media increased by 9%.
“Social media attacks on businesses continue to grow rapidly,” said John LaCour, senior product strategist at PhishLabs by HelpSystems. “The average business is targeted nearly three times a day via social media.”
According to LaCour, spoofing attacks accounted for 47% of all social media attacks, up from 27% in the prior quarter.
“A lot of companies don’t realize their executives are being spoofed on social media,” LaCour added. “It’s a huge business risk.”
The report also revealed that threat actors targeted payment, logistics and shipping companies, accounting for 5.0% and 3.8% of phishing attacks respectively.
Ransomware attacks decreased in early 2022
Abnormal Security, an email security company and APWG member, detected a 25% reduction in ransomware attacks. The decline affected all industries except the financial sector.
The report attributes the reduction in ransomware attacks to the attrition of the Conti and Pysa ransomware gangs. The researchers suggested that law enforcement actions and infrastructure takedowns contributed to the decrease in ransomware attacks.
However, the financial services industry saw a 35% increase in ransomware attacks in the first quarter of 2022. Abnormal Security also found that the number of ransomware attacks targeting financial institutions increased by 75% in the first quarter of 2022 compared to compared to the first quarter of 2021.
The report attributes this growth to increased targeting of financial institutions by LockBit ransomware. These attacks targeted “small accounting and insurance firms”.
According to the report, LockBit targeted victims large enough to pay the ransom, thus making the hacking effort worthwhile and ensuring that the victims were not too large to defend well.
Garret Grajek, CEO of You attestnoted that phishing attacks are the gateway to other cyberattacks, including ransomware.
“Phishing is the main source of corporate access hacking,” Grajek said. “But what is important to note is that phishing is only the first step in the chain of cybercrime, for example, an access to a device that has access to the environment of the victim. “
Grajek postulated that attackers could elevate privileges, move laterally, and maintain persistence while communicating with command-and-control (C2) servers to complete a data breach.
“The key is to stop the user early in the cycle – zero trust and strong identity governance are key security measures to prevent the attacker from executing the malicious attack steps. Identity and permissions is a critical way to recognize malicious hacker activity,” Grajek said.
BEC attacks remained stable in the first quarter of 2022 while average losses increased
In the first quarter of 2022, the APWG found that business email compromise (BEC) attacks remained stable, but the amount demanded by scammers increased by more than two-thirds.
Agari, a member of the APWG, classified BEC attacks as “response-based spear-phishing attacks,” impersonating a trusted person to trick the victim into completing a transaction or sending sensitive information.
Agari found that the average amount requested in wire transfers during BEC attacks increased from $50,027 in Q4 2021 to $84,512 in Q1 2022, representing a 69% increase.
The company attributed the rise to a 280% increase in amounts over $100,000 demanded by scammers.
Scammers prefer Gmail email services and Namecheap domain registration
The APWG member also found that 82% of BEC emails come from free webmail accounts, with Gmail.com accounting for 62% of all malicious emails. Microsoft and Verizon Media accounted for 20% and 10% of phishing emails respectively.
The report also revealed that domain registrar Namecheap accounted for a third (33%) of registered BEC attack domains, followed by GoDaddy (13%), Google (12%), PublicDomainRegistry (5%), Hosting Concepts BV (5%), and 1&1 IONOS SE 4%.
However, most domains controlled by malicious actors were registered with other domain registrars.
“In Q1 2022, 82% of business email compromise messages were sent from free webmail accounts. Of these, 60% were using Gmail.com,” said John Wilson, Senior Fellow, Threat Research at HelpSystems “For the 18% of BEC messages sent from domains controlled by attackers, Namecheap was the most popular registrar. A third of all maliciously registered domains used for BEC attacks were registered through Namecheap.
According to LaCour, credential theft phishing against enterprise users has increased by 7%, accounting for up to 59% of all malicious emails.
QBot was responsible for delivering almost three-quarters (74.5%) of phishing emails to corporate inboxes, followed by Emotet (16.7%) and BazaLoader (3.9%).
Rajiv Pimplaskar, CEO of dispersive fundsnoted that phishing attacks could be a springboard for cyber warfare.
“With the increased involvement of nation-state actors and the intensification of the Cyber Cold War, phishing is a key attack vector for establishing backdoors and/or stealing credentials. Phishing is often used in conjunction with other forms of MITM or supply chain attacks to try to connect rather than hack most conventional cyber defenses with relative ease.
Pimplaskar advised companies, especially critical infrastructure entities, to bolster their cyber defenses with military-grade solutions that provide enhanced protection.