Phishing messages with links in an email, text message or on a website are designed to steal money from unsuspecting recipients. Cybercriminals can do this by installing malicious software onto an organization’s website or by tricking victims into going to a fake website that at first glance, appears legitimate. One million confirmed malicious phishing sites were created in 2015 and phishing remains one of the most popular activities for attackers.
Researchers in cyber security published two reports with their insights into phishing attacks. According to a provider of cybercrime protection, PhishLabs, 90% of phishing attacks targeted financial institutions, e-commerce and payment services, cloud storage/file hosting sites webmail and online services. Another powerful finding is that Google’s webmail service is used for more than half of all data drop email accounts. That makes Gmail the top webmail service used by attackers to receive login access and data stolen through phishing attacks. Additionally, the research revealed an interesting trend: Social media has become the most attractive and successful channel for threat actors targeting the assets of organizations and individuals.
The other vendor involved in the study, Easy Solutions, is an international developer of fraud detection software. This company analyzed data from 3,000 phishing attacks committed against the top 25 U.S. financial institutions. The main purpose of the research was to gain an understanding of the latest phishing strategies and gaining knowledge about attacks. Based on the study’s results, the vendor puts phishing sites into three categories:
- Neither resemble nor reference the original sites they’re targeting.
- Fake sites that are copies of the target sites, with all page content hosted by the attackers themselves.
- Fake sites that are copies of the target sites and reference most of the content on the original site.
These findings provide a solid foundation for the development of more effective tools and strategies to meet the phishing challenge. However, it should not be forgotten that the majority of breaches take place because users within a company are not aware of safe practices. Regular education of all staff to be cautious with messages that have attachments or links should be the first line of defence against phishing attacks.