Businesses: It's time to implement an anti-phishing plan

What Google learned from 1 billion evil email scams

Google and researchers at Stanford University have released an in-depth study analysing 5 months of phishing / malware mails sent globally. “Who is targeted by email-based phishing and malware? Measuring factors that differentiate risk” looked at more than a billion mails. The results were then fed into a presentation at the Internet Measurement Conference.

After digging in to phishing and malware campaigns automatically blocked by Gmail, they’ve discovered quite a few things about current trends and happenings in the world of phishing.

Rogue email analysis: key findings

  • 42% of attacks target users in the US
  • 10% target users in the UK
  • 5% of attacks target users based in Japan

Attacks primarily focus on North America and Europe, with the US receiving the highest volume of phishing and malware mails. However, the highest risk countries are in Africa and Europe. According to the study, 16 countries exhibited a higher risk on average than the US.

English: the international language of scamming

Localization isn’t particularly popular, with most attacks deploying English email templates across multiple countries. That’s 83% of phishing mails / 97% of malware mails written in English. They do note that some localization takes place, however, with 78% of phishing mails in Japan written in Japanese.

Campaigns are “fast churn”. One particular template may be sent to 100 – 1,000 targets, with campaigns lasting one to three days on average. In one week, small campaigns can account for more than 100 million phishing / malware mails targeting Gmail users.

Ageing, data breaches, and fewer devices

The risk of being targeted increases a little as you move upward through each age group. If you’re in the 55-64 bracket, you’re potentially a more attractive proposition than someone sitting in the 18-24 or 35-44 age ranges. Whether this is due to older users being theoretically more susceptible to scams, or simply that their online footprint is easier to find, is not decided either way.

Previous data breaches bump up the risk. You have far higher odds of being attacked if your details have been exposed in a data breach. You can’t put that data genie back in the bottle and it makes sense that scammers would actively enumerate mails and dig into demographic information.

Sticking to your mobile phone gives you the lowest risk of attack, and the highest risk comes with using multiple devices. Use one single personal computer places you in the middle.

You can read the full study here.

Brush up on your phishing knowledge

We’ve a wealth of anti-phishing tips and advice here at Malwarebytes.

  • How to spot mobile phishing: You might be in a lower risk category than others according to the above study, but it’s not a no-risk category. A little caution is never a bad thing either way.
  • Spear phishing: As has been mentioned, some activities lend themselves to a higher chance of being targeted. Some of it, like old breaches, is beyond your control. Explore how spear phishers operate, and consider how you might reduce your risk.
  • Gaming the gamers: Take a look at a common gaming phishing style.
  • COVID scams: The pandemic is a huge draw for malware authors, phishers, and social engineers. Individuals and businesses in need of financial assistance are prime targets for those up to no good. Familiarise yourself with scam tactics and avoid phishy antics and malware-laden missives.
  • More general phishing scams: We have a rundown of the most common ways phishers try and breach your trust.

Don’t be complacent about phishing

With these tips and tricks, you’ll hopefully be more prepared when facing down the latest phishes in your mailbox. Whether they want your login, bank details, data, or hard drive access, the threat is very much real. It’s also so common that we’re perhaps numb to the danger of something we see on a daily basis. It might be a regular fixture in your mailbox, you may roll your eyes at the latest fake bank transfer, but rest assured: it works.