Phishing Attacks in the US

In a recent report, PhishLabs finds the U.S. is far and above the favorite hot spot for phishing attacks globally, with 84% of phishing attempts happening here in 2018. The uptick from 2017 to 2018 is a whopping 40.9% increase in volume of phishing attacks and researchers report that number continues to rise. The report breaks down phishing attacks by industry, finding financial services at 29.8%, email and online services at 24.1%, cloud and file storage at 12.6%, payment services at 11.1%, and finally, SaaS (Software as a Service) with 7.2%. All these statistics combined paint an unflattering picture of the U.S. as a ripe target for phishing attacks.

A further look into the report brings more detail to the overall findings. Although the financial industry’s global share of volume may vary by year, the sheer number of attacks continue to grow annually. Free hosting and domains saw a 200% increase in 2018, and free SSL certificates saw a 50% jump. Out of the millions of malicious phishing emails studied, only 2% were used to deliver malware; 33% were email scams like BEC (Business Email Compromise), and other ploys designed to trick users into giving up PII (Personally Identifiable Information).

The biggest chunk of phishing attacks involved 65% aimed at stealing credentials by redirecting users to bogus phishing links and a phishing trend called DocuPhishing. This trend attack bypasses email filters and attachment warnings, despite having an attachment. With its ability to get around email security measures, DocuPhishing tricks users into sharing documents full of sensitive data.

Knowing just how far the phishing arm reaches, it’s easy to understand how user education–at home or at work–as the first line of defense against relentless phishing attacks. After all, it takes just one click...

Check it Out:

• Emails with attachments and URL’s in the text. Attachments are loaded with malware, and URL’s redirect to bogus websites designed to steal PII from you or your place of work.

• Sense of urgency. The email title and text require quick action from you on any subject, from winning a prize to “trouble” with an account, likely needing your PII to resolve the issue.

• Bad grammar and misspellings. Although hackers may be quick with an attack, they’re not known to be on top of proper spelling and grammar. The slightest typo should set off email phishing alarms.

• Any email that remotely looks or smells phishy for any reason is best deleted.

An Ounce of Prevention:

• Check email spam filters. Set security filters as high as you are comfortable with. Although they can’t stop every phishy email, it’s a great start to reducing the amount that end up in your inbox.

• Check URL’s for a hidden hyperlink, making sure you’re not redirected to a bogus site.

• Common sense plays a huge part. Most organizations avoid asking for or verifying PII in an email, including the IRS and any credit or financial account you may have.

• When in doubt, verify. Any email from a co-worker or friend requiring opening an attachment, following a link or providing PII should be verified before acting on it. A quick phone call can go a long way in getting to the truth.