While some parts of the economy slowed in 2020, criminals paid no mind to that as their phishing attacks against companies in the financial sector increased 45% over 2019 to 3.4 billion, Akamai Technologies Inc. found in its “State of the Internet / Security report: Phishing for Finance” released Wednesday. Overall, Akamai tallied 193.5 billion credential-stuffing attacks globally in 2020.
In credential stuffing, criminals pull data from a database containing valid passwords and usernames and attempt to get into a consumer’s online accounts, without much operator action.
“Criminals have dedicated a good deal of energy and resources toward advancing the phishing economy on a regular basis,” Akamai says in the report. “Gone are the days of basic cloned websites. Today, phishing is a turnkey business, even offered as a hosted solution for criminals who wish to leverage phishing-as-a-service developments.”
Notably, more consumers adopted online shopping and financial transactions because of pandemic restrictions, while data breaches continued to happen. Criminals took note. “Millions of new usernames and passwords, tied to several notable incidents in Q1 and Q2 of 2020, as well as some in Q3, started circulating among criminals on several forums,” Akamai says. “Once these comprised credential were in circulation, they were sorted and tested against brands across the Internet, including several financial institutions.”
Indeed, 80% of banks surveyed by Computer Services Inc. earlier this year said improved cybersecurity was a priority in 2021. These threats include both customer-target and employee-target phishing attacks. Today, criminals can easily purchase kits that make it easier to generate these attack, Cambridge, Mass.-based Akamai says.
To counter this, organizations turned to multi-factor authentication and two-factor authentication to augment passwords. Both provide a second type of authentication. But now, criminals have evolved, too. “This change includes elements that target [two-factor authentication] and [multi-factor authentication] protections where victims are tricked into filling out their [one-time password] or revealing it to the threat actor during a conversation,” Akamai says.
Credential-stuffing attacks aren’t the only problem for financial-services organizations. Akamai says the number of Web attacks against them totaled 736.1 million in 2020.
Akamai says there’s no reason to expect that criminal cyber activity will slow down in 2021. Phishing kits are just the “tip of the iceberg—hundreds of kits are developed and circulated daily,” the firm’s report says. “The phishing economy as a whole has been growing exponentially year-over-year, as developers leverage the same Web technologies and techniques that enable businesses to remain agile and ahead of the curve.”