At the initial height of the Covid-19 pandemic, phishing incidents rose to more than 220 percent the annual average. This is one of the key findings in the “2020 Phishing and Fraud Report” released by F5 Labs, the research subsidiary of F5.
In the previous year’s report, the experts had highlighted an increase in the use, or rather abuse, of automated free services such as blogging platforms and free-of-charge digital certificates for HTTPS. F5 Labs notes that the past twelve months have not seen a revolution but rather an evolution in the in the methods attackers have employed in phishing, a method of social engineering focusing on exploiting email communication. Based on current figures, phishing incidents are projected to have increased by 15% in 2020.
There was a particularly huge increase in phishing attacks during the “first wave” of the Covid pandemic in spring. The various lockdowns around the globe and the increase in working from home (WFH) were accompanied at their peak by nearly 15,000 active certificates containing “Covid” or “coronavirus” in their names – almost three quarters of all phishing websites use digital certificates and TLS encryption to appear genuine. This dramatic increase is likely to have contributed to a rise in the theft of payment card details detected in May and June this year – the number of stolen cards discovered on the darknet belonging to customers at seven major banks was found to be almost twice the amount noted during a similar peak period in 2019.
According to F5Labs, phishers are generally going about their business with increasing speed, professionalism and creativity, for instance when it comes to generating website addresses that look as realistic as possible. Vulnerabilities in generally trustworthy websites (WordPress, for instance, has been exploited) have readily been used to conceal phishing websites. Attackers are increasingly focusing on Microsoft/Office 365 with new tactics such as “consent phishing”. Last, but not least, a growing number of phishing websites are employing “evasion techniques” to avoid being detected by companies or investigated by security researchers.
To safeguard your company’s email accounts, we highly recommend the Retarus Email Security service, which boasts an enhanced phishing filter and dedicated CxO Fraud Protection. In this way, you can ensure that the vast majority of phishing emails don’t even reach your employees’ inboxes. And if one does make it through, our patented Patient Zero Detection service can find it even after it has been delivered. You are also welcome to download our free anti-phishing guide in five languages to sensitize your users on this tricky topic. For more information, please take a look at our website or get directly in touch with your local Retarus representative.