Credential-seeking cyberattackers garnered the most phishing success by impersonating the brands of telecommunications firms, financial institutions, and popular technology companies in 2022.
That's according to an analysis of data collected by Internet services provider Cloudflare, which found that Individuals most often clicked on links in emails that appeared to come from AT&T and Verizon, PayPal and Wells Fargo, or Microsoft and Facebook. The rankings did not align with popularity — the Internal Revenue Service ranked No. 6 — but rather with the size of the brand's user base and the relative opportunity to turn compromise into cash, says Matthew Prince, CEO and co-founder of Cloudflare.
"We're seeing up and down the brand list, from the largest and most risky down to the smallest, that phishing is not going away as a problem," Prince says. "Email still continues to be the No. 1 entry point for an attacker [and] phishing still continues to be the No. 1 threat for almost all of our customers."
In addition, attackers are increasingly using phishing in an attempt to steal credentials from privileged employees and gain access to corporate networks, he says.
Cloudflare is not the only organization to see phishing as a threat, of course. In 2022, more than 300,000 complaints of phishing attacks flooded the FBI's Internet Crime Complaint Center (IC3), slightly down from the peak in 2021 of nearly 324,000 complaints, but a 162% increase from three years ago. The numbers do not include business email compromise (BEC) and investment scams, the most damaging types of attacks, both of which typically have a targeted phishing component.
The phishing problem can be more problematic on mobile devices, since attackers are harder to spot in most mobile mail clients. In 2022, mobile phishing encounter rates — a measure of the number of phishing attempts the average user receives — increased roughly 10% for enterprise devices and more than 20% for personal devices, according to mobile-device management firm Lookout. Overall, half of mobile users faced a phishing attack at some point in 2022, the company stated in its recent "State of Mobile Phishing in 2023" report.
An Often-Ignored Threat
Most users have become inured to the fake emails using known brands to attempt to harvest credentials as the first step in an account compromise. Yet the deluge of disguised emails do have the occasional success, which makes the effort worth the attackers' time and mean that they remain the most common cause of data breaches.
Cloudflare used data from its domain name service (DNS) resolver to find the known phishing URLs that were most often visited by users, with visits to common hosting sites, such as Google and GoDaddy, removed from the data if the site could not be confirmed to be fraudulent.
It's not an indication of a successful phishing attack, but the top-50 list does show which emails overcome the recipient's initial skepticism, Cloudflare's Prince says.
"There are plenty of phishing scams where you might get something and say — 'Is this legitimate?' — so you might click on that link," he says. "It's at least the start down a journey of success; it doesn't mean that somebody necessarily entered their credentials, or even, if they entered information, that they entered accurate information."
Last August, Cloudflare detected a sophisticated phishing attack against the company, the same attack that compromised customer-data platform Twilio and more than 100 other companies, dubbed "Oktapus" for its targeting of the identity firm Okta.
Most recently, a phishing email sent to a Reddit employee led to a cloned gateway for the company and allowed an attacker to gain access to the social media site's internal network for a few hours.
The Long Tail of Phish
The top-50 list represents typical targets of credential stealing campaigns, and while there is a significant difference in volume between the start and the end of the list, smaller companies and the much lower volume of phishing directed against their brands result in a very long tailed distribution, Prince says.
Attackers tend to see phishing directed against brands in the top 50 as a way to steal money, packages, or valuable information from accounts, while the long-tail phishing tends to focus on gaining access for further compromise, Prince says. The first 10 companies on the list are AT&T, PayPal, Microsoft, DHL, Facebook, the IRS, Oath Holdings/Verizon, Mitsubishi UFJ NICOS, Adobe, and Amazon. The final five companies on the list are Banco Itaú Unibanco, Steam, Swisscom, LexisNexis, and Orange S.A.
"In most of these cases, when it's in the top-50 list, it's about how an attacker can gain access to an account to, in relatively short order, do something that generates cash for the attacker," he says. "I think that when we look at some of the more targeted attacks, those [that] are much more about compromising systems, they then can be used more indirectly to launch some sort of attack."