APWG Q4 Report: Phishing Hits All-Time High in December 2021; Attacks Triple Since Early 2020

  • Ransomware Attacks Spike Upward 36 Percent in Q4 2021 from Previous Quarter

  • Phishing Hits All-Time High in December 2021

Cambridge, Massachusetts, February 25, 2022

The APWG's new Phishing Activity Trends Report reveals that APWG saw 316,747 #phishing attacks in December 2021 — the highest monthly total observed since APWG begain its reporting program in 2004. Overall, the number of phishing attacks has tripled from early 2020.

In the fourth quarter of 2021, APWG founding member OpSec Security found that the financial sector, which includes banks, became the most frequently attacked cohort, accounting for 23.2 percent of all phishing. Attacks against webmail and software-as-a-service (SaaS) providers remained prevalent as well. Phishing against cryptocurrency targets — such as cryptocurrency exchanges and wallet providers — inched up to represent 6.5 percent of attacks.  

Overall, the number of brands that were attacked in 4Q descended from a record 715 in September 2021, cresting at 682 in November for the Q4 period.

Abnormal Security observed 4,200 companies, organizations, and government institutions falling victim to ransomware in Q4 2021, some 36 percent higher than in Q3 2021 and the highest number the company has witnessed over the past two years. "The overall distribution of ransomware victims indicates that ransomware attacks are industry-agnostic," said Crane Hassold, Director of Threat Intelligence at Abnormal Security.

"Like with other financially-motivated cyber-attacks, the focus of most ransomware attacks is more about the ability to quickly profit from the exploitation of a corporate network and less about the characteristics of the victim company itself." The top industries impacted by ransomware in Q4 2021 were manufacturing, retail & wholesale, business services, construction, and healthcare.

PhishLabs, by HelpSystems, analyzed malicious emails reported by corporate users and categorized them by threat type. PhishLabs found that in Q4 2021: 51.8 percent of them were credential theft phishing attacks; 38.6 percent were response-based attacks (such as BEC, 419, and gift card scams); and 9.6 percent were malware delivery attacks.

Agari by Helpsystems found that the average amount requested in wire transfer BEC attacks in Q4 2021 was $50,027, down from $64,353 in Q3 2021. This decrease was because scammers requested fewer big-dollar transfers over $100,000. RiskIQ  also observed a surge in phishing continued along with an increase in the overall number of phishing emails And Axur found that phishing in Brazil went down in Q4, a pleasantly surprising development during the holiday shopping season.

Agari found that domain name registrar NameCheap was the primary registrar used by cybercriminals to register the domain names for BEC attacks in 4Q 2021. NameCheap accounted for more than half of all BEC domain registrations, with Google and GoDaddy each making up 8 percent. As the name implies, NameCheap is one of the least expensive places to register a domain. This is likely a factor in its popularity with scammers.

RiskIQ found that the 13,947 confirmed phishing URLs reported to APWG in Q4 2021 were hosted on just 1,444 unique second-level domains. In comparison, in Q3 RiskIQ analyzed 4,340 confirmed phishing URLs and found that they were hosted on 2,649 unique second-level domains — almost twice as many domains.

Trends Report Resource Note for Researchers: With this edition of the Trends Report, APWG adds metrics for ransomware attacks [p. 6] and malicious email types [p. 10]. 

Abnormal Security's ransomware metrics provide insight into the industry verticals that are being subject to ransomware attacks, the relative intensity of attacker interest for each one and, as importantly, the revenue-echelon of victim enterprises that are the focus of ransomware gangs' interest. This knowledge helps organizations' managers, curators and security vendors better understand their overall risk for being subject to ransomware attack.

PhishLab's metric for email attacks segments the categories into threat types (credential theft; response-based attacks; and malware delivery) to bring insight into the nature of cybercrime attacks directed against enterprise users. Historically, Trends Report focused on consumer-targeted phishing attacks employing social-engineering based phishing attacks that abused brands — but, for full-spectrum understanding of user risks at work and at home, PhishLab's metric measures the kinds of email threat types experienced by enterprise users. 

Trends Report Correction Note

Due to a transcription error, an early edition of the Q3, 2021 Trends Report, published 22 November 2021, indicated that attacks against financial institutions and payment providers combined accounted for 34.9 percent of attacks in the quarter when the actual and correct percentage should have been reported as 24.9 percent. All previous APWG Trends Report editions from January, 2004 onward, are available in this directoryExternal Link as a service to industry, government, multilateral organizations and the general public.