Analyzing the Latest APWG Phishing Activity Trends Report: Key Findings and Insights
In the second quarter of 2024, 877,536 phishing attacks were reported, a marked decrease from the 963,994 attacks reported in the first quarter of the same year. However, this might not be a reason to celebrate just yet, as this reduction might be due to the fact that email providers have made it increasingly difficult for users to report phishing attempts.
Complaints and testing reveal that certain prominent email providers are blocking users’ attempts to forward emails they suspect might be phishing attempts. This could skew the results, as the true phishing activity may be higher than the figures show, highlighting the need for better and more accessible reporting mechanisms.
This was revealed by the Q2 2024 Phishing Activity Trends Report, released by the Anti-Phishing Working Group (APWG). The report provides a comprehensive analysis of phishing attacks and identity theft methods, offering insights into malefactors’ evolving tactics, including phishing schemes, business email compromises (BEC), and other forms of online fraud.
The report is based on data collected from its member companies, global research partners, and direct reports submitted through its website and email submissions. This extensive data collection provides a detailed view of the current phishing landscape, capturing both social engineering and technical subterfuge tactics used by cybercriminals. This data is processed through the APWG eCrime eXchange (eCX) to track unique phishing sites, email subjects, and brands targeted.
Vishing and Smishing Rise
The report also highlighted a shift towards phone-based phishing methods, including voice phishing (vishing) and SMS phishing (smishing). These scams are targeting an increasing number of bank and online payment service customers. Unlike traditional email phishing, which relies on deceptive messages to lure victims, vishing and smishing involve direct communication with potential victims.
Vishing typically involves phone calls where malicious actors masquerade as people from trusted organizations to extract sensitive information, while smishing involves sending fake SMS messages that contain malicious links or ask for personal details. This direct approach allows attackers to engage with victims in real time, making these methods more effective at bypassing traditional email security filters and capturing sensitive information. As these tactics become more prevalent, organizations and individuals need to remain vigilant and adopt comprehensive security measures to protect against these increasingly sophisticated threats.
Sector-Specific Attacks
Another concerning trend in the targeting of social media platforms was seen. These platforms remain the most frequently attacked sector, with 32.9% of all phishing attacks. This high number illustrates how persistently vulnerable social media sites are to phishing, which exploits their broad reach and personal nature. Social media accounts are also compelling targets for phishers thanks to their widespread use and the treasure trove of personal information they house.
In contrast, phishing attacks targeting financial services entities have decreased to 10% of total attacks in the second quarter of 2024, down from 24.9% in Q3 2023 and 14% in Q4 2023. Attacks against online payment services (think PayPal, Venmo, Stripe, and similar companies) remained steady, with 7.5% of all attacks.
This decline is partially due to financial firms implementing enhanced security measures like two-factor authentication (2FA), which dramatically reduce the success of traditional phishing attempts. As banks and payment services augment their defenses, bad actors shift their focus to sectors with less stringent security measures in place. This shows that ongoing vigilance and robust security practices across all sectors are crucial.
More Expensive, But Fewer Attacks
Fortra, a key player in tracking BEC attacks, reports that the average amount requested in wire transfer BEC attacks increased to $89,520 in Q2 2024, up from $84,059 in Q1 2024.
Despite this increase in the average amount requested, the volume of BEC attacks dropped by 8.4% compared to the previous quarter. This suggests that while individual attacks may be targeting higher amounts, the overall frequency of these attacks has declined.
Popular Scams
The company’s analysis also exposed gift card scams as the most popular type of fraud, making up 38.1% of all attacks. Moreover, advanced fee fraud scams made up 26.1% of events, and payroll diversion remained popular, too, making up 7.6% percent in Fortra’s tracking. Hybrid vishing, which wasn’t even on the radar before 2023, accounted for 4.9% of cases tracked. These hybrid scams often involve email messages prompting recipients to call a phone number to resolve issues or claim refunds.
Interestingly, when it came to payroll diversion, 35% of attempts involved routing salaries to accounts at Green Dot, with GoBank also being a popular choice. This suggests a gap in these financial institutions’ vetting processes, potentially compromising their compliance with Know Your Customer (KYC) regulations.
Free Webmail Providers
Fortra also found that 72% of BEC attacks used free webmail domains, with Google Gmail being the most popular, used in 72.4% of these attacks. This high usage of free webmail services highlights a vulnerability in these platforms, as scammers frequently exploit them.
Microsoft’s webmail services accounted for 16.3% of BEC attacks, indicating a significant but smaller share compared to Gmail.
Taking Proactive Steps
As phishing techniques continue to evolve and become more sophisticated, it is crucial for both organizations and individuals to remain vigilant. This means staying informed about the latest tactics cybercriminals are using and continuously updating and strengthening security measures to effectively combat this scourge.
Proactive steps such as regular employee training, implementing multi-factor authentication, and leveraging advanced cybersecurity tools can help ensure that defenses are robust enough to keep up with the dynamic nature of phishing attacks.
For more information and to read the full report, click here.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Tripwire.