New data from the Anti-Phishing Working Group shows cybercriminals are stepping on the gas, focusing phishing attacks on credential theft and response-based scams.
Last quarter was a busy time for cybercriminals, according to APWG’s Q4 2021 Phishing Activity Trends Report. In total, nearly 900,000 phishing attacks occurred – a 23% increase over Q3 2021 and over three times that of Q1 2020. Last December saw the highest number of recorded attacks at just under 317,000.
According to the report, cybercriminals are shifting to more social engineering-based attacks over malware-based:
- 8% of attacks were focused on stealing credentials
- 6% of attacks were BEC attacks, gift card scams, and other response-based scams
- Only 9.6% of attacks involved the delivery of malware
The most targeted industries continue to be SaaS, Financial, eCommerce/Retail, Social Media, and Payments.
New data from Barracuda’s recently-released Spear Phishing Top Threats and Trends Report shows that small businesses are also a target of attacks using social engineering tactics that reach the mailbox 3.5x more than their enterprise counterpart.
According to the data, the average number of attacks per mailbox in organizations greater than 2,000 employees is 5 per year. But in organizations with less than 100, that number more than triples to 17 per year.
Further analysis of attacks shows that the SMB is targeted with largely the same breakout of attack types:
- 49% are phishing attacks
- 40% are scams
- 9% are business email compromise attacks
- 2% are extortion attacks
- <1% are vendor email compromise (also called conversation hijacking) attacks
It also appears that ransomware attacks are getting more effective across all industries, as the number of companies falling victim to these attacks rose 36% in Q4 alone and was the highest number of successful attacks in the last two years.
Phishing is not just remaining a problem for organizations today. It’s an ever-growing concern that should have every business’ focus as a primary source of risk. Security solutions provide solid coverage for most phishing attacks. Still, for that small percentage of attacks that make it to the Inbox, it’s only Security Awareness Training that will be the difference between a protected organization and an enabled attack.
Information used in this article was provided by our partners at KnowBe4 and Barracuda.