Reading Time: ~ 3 min.

One of the most notable findings to come from the Webroot
2020 Threat Report
was the significant rise in the number of active
phishing sites over 2019—a 640% rise, to be exact. This reflects a
year-over-year rise in active phishing sites, but it’s important to keep this
(dangerous) threat in context.

“Of all websites that host malicious content, phishing
historically has been a minority,” says Webroot Security Analyst Tyler Moffitt.
“While it’s growing quite a bit and a significant threat, it’s still not a
large percentage of the websites being used for malicious content. Those would
be things like botnets or malware hosting.”

This traditional low instance rate is likely one
explanation—or at least a portion of an explanation—that’s led to such a gaudy
increase in the number of active sites.

Here are three other factors that may have contributed to
the rise.

The diversification of attacks

Since first being described in a 1987 paper, phishing
attacks have diversified considerably. While it was once reliably email-based
with a broad scope, it now entails malware phishing, clone phishing, spear
phishing, smishing, and many more specialized forms. Inevitably, these strains
of attack require landing pages and form fields in for users to input the
information to be stolen, helping to fuel the rise in active phishing sites.

Spear phishing—a highly targeted form of phishing requiring cybercriminals study their subject to craft more a realistic lure—has turned out to be a lucrative sub-technique. This has likely contributed to more cybercriminals adopting the technique over mass-target emails pointing to a single source. More on profitability later.

Check out this
infographic for 5 tips on recognizing a phishing email.


After years of studying phishing data, it’s clear that the
number of active phishing sites rises predictably during certain times of the
year. Large online shopping holidays like Prime Day and Cyber Monday inevitably
precipitate a spike in phishing attacks. In another example, webpages spoofing
Apple quadrupled near the company’s March product release date, then leveled

Uncertainty also tends to fuel a rise in phishing sites.

“Not only do we always see a spike in phishing attacks
around the holidays,” says Moffitt, “It also always happens in times of crisis.
Throughout the COVID-19
we’ve followed a spike in phishing attacks in Italy and smishing
promising to deliver your stimulus check if you click. Natural
disasters also tend to bring these types of attacks out of the woodwork.”

The year 2019 was not without its wildfires, cyclones, and
typhoons, but it’d be safe to suspect the number of phishing sites will grow
again next year.

Short codes and HTTPs represent more phishing opportunities
for cyber criminals. Malicious content is now often hosted on good domains (up
to a quarter of the time, according to our Threat Report). Short codes also have
the unintended consequence of masking a link’s destination URLs. Both these
phenomena make it more difficult to identify a phishing attack.

“All of sudden these mental checks that everyone was
told to use to sniff out phishing attacks, like double-checking URLs, no longer
hold,” says Moffitt.


Let’s face it, this is the big one. The rise in popularity
of shared drives makes it more likely that any single phishing success will
yield troves of valuable data. Compromising a corporate Dropbox account could
easily warrant a six-figure ransom, or more, given the looming threat of GDPR
and CCPA compliance violations.

“A few years ago, most of the targets were financial targets
like PayPal and Chase,” according to Moffitt. “But now they are tech
targets. Sites like Facebook, Google, Microsoft, and Apple. Because shared
drives offer a better return on investment.”

Even for private individuals, shared drives are more bang
for the buck. Credentials which can easily lead to identity theft can be sold
on the dark web and, given the rampant
rates of password re-use
in the U.S., these can be cross-checked against
other sites until the compromise spirals.

Finally, phishing is profitable as an initial entry point.
Once a cybercriminal has accessed a business email account, for instance, he or
she is able to case the joint until the most valuable next move has been

“It’s a really lucrative first step,” says Moffitt.

Don’t take the bait

Installing up-to-date antivirus software is an essential first
step in protecting yourself from phishing attacks. Features like Webroot’s
Real-Time Anti-Phishing Shield can help stop these attacks before a user has
the chance to fall for it. Continual education is equally as important. Webroot
data shows that ongoing phishing simulations can lower
click-through rates

The post What’s Behind the Surge in Phishing Sites? Three Theories appeared first on Webroot Blog.