In its Phishing Activity Trends Report [PDF], the APWG noted a 250% increase in phishing sites popping up between October 2015 and March 2016.
“The increase in December 2015 was expected, since there is usually a spate of spamming and online fraud during the holiday shopping season,” the report noted. “The continuing increase into 2016 is cause for concern.”
The retail/service sector remained the most-targeted industry sector during the first quarter of 2016, with 42.71% of attacks, followed by financial services at 18.67%. And, the number of brands targeted by phishers in the first quarter remained constant—ranging from 406 to 431 brands each month.
The United States continued its position at the top on the list of nations hosting phishing websites, while the world's most-infected countries are China, where 57.24% of computers are infected, followed by Taiwan (49.15%) and Turkey at 42.52%.
The results dovetail with recent PhishMe findings that the first three months of 2016 have seen a 6.3 million increase in raw numbers of phishing mails, due primarily to a ransomware upsurge against the last quarter of 2015. That is a staggering 789% jump in the volume of malicious emails. And in all, 93% phishing emails now are pushing ransomware.
“Thus far in 2016, we have recorded an unprecedented rise in encryption ransomware attacks, and we see no signs of this trend abating. Individuals, small- and medium-sized businesses, hospitals, and global enterprises are all faced with the reality that this is now one of the most favored cyber-criminal enterprises,” explained Rohyt Belani, CEO and co-founder of PhishMe.
Security awareness training is of course key to organizations looking to combat this increasing threat. Spam filters, blacklists, firewalls, and other technical safeguards do not stop all phishing emails from getting to end users, after all.
“Awareness and training are two sides of the same coin, but they are not one and the same,” said Joe Ferrara, president and CEO of Wombat Security Technologies, via email. “Being aware that phishing threats exist is not the same as knowing how to defend against social engineering attacks. Simulated phishing attacks, notification emails and alerts are absolutely valuable and useful—but on an awareness front. They aren’t a substitute for education, and they will not, on their own, drive the level of behavior change that training can.”