Phishing at ‘record level’ as cybercriminals exploit pandemic

New research from F5 Labs shows the risk of being phished is at a record level, as cybercriminals take advantage of the technological disruption caused by COVID-19.

The Phishing and Fraud report 2020 estimates that phishing attacks will continue to rise 15% year-on-year in the post-COVID era. 

The report shows that fraudsters were quick to take advantage of the confusion caused by the pandemic as spikes in phishing incidents closely coincided with various lockdown measures and the increase in remote working. According to F5’s analysis, of the phishing attacks recorded during 2020, the following key trends in phishing activity can be identified.

The first being that fraudsters are increasingly utilising certificates to entice people into clicking by using the terms “covid” and “corona” in their URLs. 

The data suggests that during initial lockdown in March, there were almost 15,000 active certificates with these terms – a 1102% increase from February. According to the report, it was around the same time that email users’ inboxes began being hit with bogus emails titled, “Covid-19 in your area?” and “Message from the World Health Organization.”

“The risk of being phished is higher than ever and fraudsters are increasingly using digital certificates to make their sites appear genuine,” said David Warburton, Senior Threat Evangelist at F5 Labs. “Attackers are also quick to jump onto emotive trends and COVID-19 will continue to fuel an already significant threat. Unfortunately, our research indicates that security controls, user training and overall awareness still appear to be falling short across the world,” he adds. 

The report also said that fraudsters are able to operate “in plain sight”, with statistics showing that most phishing sites leveraged Transport Layer Security (TLS) encryption. A huge 72% of attacks analysed were using valid HTTPS certificates to persuade users of their legitimacy. This year, the report states that 100% of drop zones – which are the destinations of stolen data sent by malware – used TLS encryption, compared to 89% last year.

Additionally, the report found that over half of phishing sites (55%) made use of target brand names and identities in their URLs. F5 Labs results suggest that Amazon was the most used identity in the latter half of 2020. Other brands such as Paypal, Apple, WhatsApp, Microsoft Office, Netflix, and Instagram were also among the top ten most impersonated, according to the report.

The report also indicates that in 2020, cybercriminals increased their attack on “reputable but vulnerable” “host” sites such as WordPress, which alone accounted for 20% of generic phishing URLs – a huge increase from 4.7% in 2017.

Moreover, the data suggests that Office 365 “continues to present a rich and compelling target for attackers with fraudsters employing new tactics such as consent phishing”, where instead of trying to steal the user’s login credentials, an attacker seeks consent for an attacker-controlled app to access valuable data without the person’s full-understanding. 

The report shows an increasing number of phishing sites are using evasion techniques to avoid detection and inspection by targeted businesses and security researchers.

Using insight from Shape Security, the analysis was able to determine how quickly a hacker is able to access your goods. The data suggested that cybercriminals are making use of their stolen goods within just four hours of the user being tricked. “Some attacks even occurred in real time to enable the capture of multi-factor authentication (MFA) security codes,” the report found. 

“Phishing attacks will continue to be successful as long as there is a human who can be psychologically manipulated in some way,” says Warburton. 

“Security controls and web browsers alike must become more proficient at highlighting fraudulent sites to users. From deceptive URLs to abuse of HTTPS certificates, both staff and customers must be continuously trained on the latest techniques that fraudsters are using.”


The largest data protection, privacy and security event of 2020, now available on-demand!

Featuring four whole days of keynote sessions, panel debates, and an opportunity to network and chew over all things data-related through discussions in public boards and virtual booths, PrivSec Global is now available to watch on-demand.

You can access the content from all four days, by registering for access to our PrivSec Global platform below.

Learn More and Register

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.