The bad news about payments risk just keeps on coming. The Anti-Phishing Working Group Inc. reported this week that phishing attacks reached an all-time high in 2016, totaling 1,220,523. That was up fully 65% over 2015, the group says in its latest quarterly report.
Another way to look at the explosion of phishing is to compare the fourth quarter of 2016 with that of 2004, the first full year the APWG operated. The group says it counted 1,609 attacks per month in that quarter 12 years ago. In 2016, there was an average of 92,564 monthly attacks in the fourth quarter alone. That’s an increase, says the group, of 5,753%.
In phishing attacks, fraudsters use cleverly designed emails to trick people into visiting bogus Web sites or giving up sensitive information. Both the emails and the fake sites are typically designed to mimic those of reputable retail, banking, and payments brands.
“Phishing is an attack that relies primarily on fooling people, rather than highly sophisticated technical implementations,” said APWG senior research fellow Greg Aaron, who is also a vice president at Princeton, N.J.-based iThreat Cyber Group, in a statement. “For that reason, phishing remains both popular and effective. Truly, phishing is more pervasive and harmful than at any point in the past.”
All the more so, he added, given that the APWG’s numbers track “broad-based attacks against consumer brands.” They don’t include so-called spear-phishing attacks, in which fraudsters target highly placed managers within companies, hoping to gull them into transferring funds into bogus accounts.
In some ways, the deception behind phishing has become easier, according to the APWG. While emails and Web sites may be dressed up to deceive, fraudsters don’t feel a need to bother duplicating brand names in browser bars. “A relatively low percentage of phishing Web sites targeting a brand attempt to spoof that brand in the domain name—whether at the second-level or in the fully-qualified domain name,” said Jonathan Matkowsky, vice president for intellectual property and brand security at San Francisco-based risk-detection firm RiskIQ, in a statement.
The APWG’s report comes on the heels of other indications that fraud is surging. On Tuesday, a study from Forter Inc., a San Francisco-based fraud-solutions firm, and the Merchant Risk Council reported dollars at risk for online retailers shot up to $4.98 per $100 of domestic sales in the fourth quarter of 2016, compared to $2.70 per $100 the year before. Dollars at risk refers to both attempted and actual fraud.
Earlier this month, a report from ThreatMetrix Inc., a San Jose, Calif.-based security-technology firm, showed how pilfered or fake credentials figured in 80 million cyberattacks last year. And shortly before that a report from Pleasanton, Calif.-based Javelin Strategy & Research indicated identity theft had reached a record high, affecting 15.4 million U.S. consumers in 2016, up nearly 18% from the year before.
APWG members include financial institutions, retailers, Internet service providers, law-enforcement agencies, government agencies, multilateral treaty organizations, and non-governmental organizations. All told, some 2,000 enterprises globally work with the organization.