Jeff Goldman | March 06, 2017

Half of All Phishing Attacks in 2016 Targeted Financial Data

Fully 47.48 percent of all phishing attacks last year were aimed at stealing victims' money, a 13.14 percent increase over 2015, according to Kaspersky Labs' Financial Cyberthreats in 2016 report.

Of almost 155 million attempts to visit phishing pages that Kaspersky detected in 2016, just under half were attempts to visit pages designed to steal financial data, such as account numbers for banking, credit accounts, Social Security numbers, and online banking login and password information.

"For the first time in 2016, the detection of phishing pages which mimicked legitimate banking services took first place in the overall chart -- as criminals sought to trick their victims into believing they were looking at genuine banking content or entering their details into real banking systems," the report states.

Just over a quarter (25.76 percent) of banking phishing schemes used fake online banking information, an 8.31 percent increase over 2015, while phishing attacks related to payment systems and e-shops accounted for 11.55 percent and 10.14 percent in 2016 respectively, an increase of 3.75 percent and 1.09 percent over 2015.

Notably, 31.38 percent of financial phishing was detected on Mac OS computers.

"Financial phishing has always been one of the easiest ways for cybercriminals to earn illegal money," Kaspersky Lab senior Web content analyst Nadezhda Demidova said in a statement. "You don't have to be a skilled programmer, and you don't have to invest lots of money into supporting infrastructure."

"Of course, most phishing schemes are easy to recognize and avoid, but judging by what we see in our statistics, lots of people are still not cautious enough when it comes to dealing with financial data online," Demidova added. "Otherwise, we wouldn't have seen so many attacks in 2016."

Separately, Wombat Security's third annual State of the Phish report found that 76 percent of companies were victims of a phishing attack last year, and 51 percent said the rate of phishing attacks is increasing.

The report, based on data from tens of millions of simulated phishing emails as well as survey responses from more than 500 information security professionals and more than 2,000 computer users, also found that 38 percent of infosec professionals who were hit by a phishing attack said disruption of employee activity was the largest impact on their organization, greater than data loss or compromised accounts.

There were key differences between U.S. and U.K. computer users in terms of risky behaviors like checking personal email on work devices and keeping data from work on their personal devices.

In the U.S., 49 percent of computer users check their work email on their personal phone, compared to just 29 percent in the U.K. -- and 50 percent of U.S. computer users check personal email on their work computers, compared to 31 percent in the U.K.

Notably, when asked what phishing is, just 65 percent of U.S. computer users responded correctly.

"Social attacks take advantage of employees trying to be helpful, so it stands to reason that social awareness of attack methods plays a critical role in protecting against phishing," 451 senior security analyst Eric Ogren said in a statement. "Enterprises with corporate phishing education programs empower employees to help protect themselves and the business."