Fueled by such scams as business email compromise, phishing frauds are staging a dramatic comeback. The total number of attacks reached 266,387 in the third quarter, according to the latest report from the Anti-Phishing Working Group, a security-industry organization that tracks the crime. That’s the highest level of phishing activity since the fourth quarter of 2016, the group says in its report, released this week.
The level of attacks in the July through September period was also double the number detected in the fourth quarter of 2018 and up 46% from the second quarter of this year, the report adds.
In phishing attacks, fraudsters use cleverly disguised emails to gull recipients into giving up critical data that can be used to loot bank accounts or credit cards. One variant, known as an ATM cash-out, has recently claimed headlines as criminals use phishing attacks to fool insiders into dispensing funds at multiple machines. In another variant, called a business email compromise, the attacks can lead corporate officers to send cash to a source impersonating the officers’ boss.
These attacks are also becoming more sophisticated and thus harder to detect. For example, “[f]orty percent of Business Email Compromise (BEC) attacks use domain names registered by the criminals, a strategy used to fool unwary victims,” notes the APWG’s latest report.
In yet another variation on this theme, phishing fraudsters are relying on a common indicator of safety to lure the unwary. “More than two-thirds of all phishing sites used SSL protection,” says the report. “This was the highest percentage since tracking began in early 2015, and is a clear indicator that users can’t rely on SSL alone to understand whether a site is safe or not.”
Curiously, the most common cash-out vehicle for a business email compromise is a gift card, requested in 56% of the cases tracked by the APWG. Payroll diversions accounted for 25% of cases, while direct bank transfers were used in just 19%. While the average sum scamsters can get via a gift card is much less than through a wire transfer, the cards are popular because they are anonymous, less reversible, and don’t require the help of an accomplice to collect the money, according to the report. The most common gift card brand? Google Play, Google Inc.’s app store, requested in 27% of cases.
These accomplices, known as mules or money mules, are critical to the execution of ATM cash-outs, as they are the ones who collect the cash as the machines dispense it.
The 16-year old APWG includes financial institutions, online retailers, software companies, Internet service providers, and law-enforcement agencies among its more than 2,000 members.