Nearly 1.4 million new, unique phishing sites are created worldwide each month, with a high of 2.3 million sites created in May, according to research from security and threat intelligence company Webroot.
The company’s Quarterly Threat Trends report finds that phishing attacks have grown at an unprecedented rate this year, and remain one of the most widespread security threats for businesses and consumers.
On average around 46,000 new phishing sites are created per day, and phishing is the top cause of data breaches worldwide.
Attacks are also becoming increasingly targeted, sophisticated and effective at fooling intended victims, with attackers utilising social engineering to uncover personal information to use to increase their effectiveness.
But today’s phishing attacks continue to be short lived, with the majority online and active for a mere 4–8 hours, Webroot said. This is a mechanism to evade detection by traditional anti-phishing strategies such as blocklists, which are often 3–5 days out of date by the time they’re made available.
In the first six months of 2017, Google was by far the top company impersonated in phishing attacks, accounting for 35% of phishing attacks targeting the top 10 most spoofed companies.
This was followed by consumer banking company Chase (15%), cloud storage company Dropbox (13%), PayPal (10%), Facebook (7%) and Apple (6%). Yahoo (4%), financial services company Wells Fargo (4%), banking company Citi (3%) and Adobe (3%) made up the remainder of the top 10.
“Today’s phishing attacks are incredibly sophisticated, with hackers obfuscating malicious URLs, using psychology, and information gleaned from reconnaissance to get you to click on a link. Even savvy cybersecurity professionals can fall prey,” Webroot CTO Hal Lonas said.
“Instead of blaming the victim, the industry needs to embrace a combination of user education and organisational protection with real-time intelligence to stay ahead of the ever-changing threat landscape.”