Phishing Attacks Are at an All-time High, Reports APWG

Published · Jun 14, 2021

The Anti-Phishing Working Group (APWG) reported all-time high rates of phishing attacks in its Q1 2021 report. The attacks peaked in January, with 245,771 unique phishing sites discovered. The number fell somewhat in February but reached 207,208 in March—the fourth worst month in APWG history.

The increase is even more troubling when you consider that 2020 also saw a massive rise in phishing attacks. According to APWG’s stats, the numbers nearly doubled compared to the previous year.

If you’re unfamiliar with them, phishing attacks use a lure (usually a fake site disguised as a legitimate one) to trick users into inputting important info like credit card numbers.

Phishing Targets Business

The APWG report warns about the rising costs of business email compromise (BEC) attacks. Instead of plain old identity theft, such phishing attacks rely on impersonating company emails to scam employees out of funds or critical data.

In 2021, 54% of emails simply requested gift cards, though this type of scam is in decline. The average cost of BEC incidents went up 14%, however, reaching $85,000 per successful attack.

An increasing threat is financial aging requests, now sitting at 10% of phishing attacks. The attacker impersonates an executive and asks for details on customers with outstanding payments. The customers then get a request to make the payment to the hacker’s account.

Unfortunately, NameCheap remains the most exploited company in BEC scams. This is one of the top domain registrars and email hosting providers and its services are used to conduct 46.3% of BEC attacks.

Simple SSL Doesn't Guarantee Much

If you rely on your browser to let you know if a website is safe, you might want to think twice.

The report states 83% of phishing sites use SSL certificates to appear legitimate.

It’s important to note that an SSL cert (a lock icon in the address bar) simply means the connection is encrypted but doesn't verify the site identity. Anyone can install a free certificate without verifying anything more than domain ownership.

EV certificates are the ones that come with identity verification and are much more reliable. Only 11 phishing sites had such a certificate and those were, in all cases, hacked sites. Still, it’s worth being extra careful to check the URL of a site and its identity before inputting personal info.

There are a few other things that can be done to increase cybersecurity. For example, antiviruses typically have phishing protection tools to block suspicious sites. Also, identity theft protection services can track black markets and alert users if their info does get leaked.

Branko Krstic
Branko Krstic

Branko is a round-the-clock tech geek and loving it. His ideal vacation destination is the Akihabara District (or really any place he can take his computer). If there’s a server out there, count on him to find out what it’s made of… and tell you all about it.