APWG Global Phishing Survey Musings

I always enjoy when new reports are released from various industry orgs that discuss the latest trends in spam, phishing, and cyber crime.  Last week the Anti-Phishing Working Group released the results from their 2H 2011 Global Phishing Survey.  There were a couple of things that I found interesting about the report that I wanted to take a moment to comment on.

* Paypal is no longer the top phished brand on the internet

This mantle has been passed to Taobao.com, one of China’s largest e-commerce sites.  This is a significant shift from the first half of 2011 where Paypal was still far and away the global leader in phishing attacks.

Let’s dive into that for a moment and discuss why that could be the case.

Back in 2007 and 2008 Paypal made arrangements with Yahoo and Google to block unauthenticated emails that appeared to be coming from Paypal’s domains.  These relationships made direct domain spoofing of Paypal impossible at some of the largest mailbox providers in the world and prevented a significant amount of phishing attacks from ever being delivered.  Over time this made Paypal a less attractive target to spammers because they are typically going to gravitate to where the barrier to get what they want is lowest.

* The average uptime for a phishing site is about 46 hours

In my opinion, although there have been some significant strides made in reducing the uptime of phishing sites, there is still a lot of work that needs to be done.  The faster that an attack can be blocked, the lesser the downstream effect to the company being targeted.  This means that being able to block phishing attacks proactively through technologies like DMARC (which Return Path is a founding member company of) becomes that much more important because while the attack is happening, emails that are being sent out using the targeted brand’s domain can be blocked before ever reaching customer inboxes.

According to an article that was posted to SC Magazine back in December 2010, 90% of the credentials that are going to be stolen during a phishing attack are going to be stolen within the first 10 hours that the attack is live and 50 percent are stolen within the first hour.  So, as you can see there is a point of significant diminishing returns after only a very short period of time after the attack is launched.

* APWG Reports that the top 20 phishing targets accounted for 78% of phishing attacks

Nobody will argue the fact that financial institutions are still the most frequently targeted vertical for phishing attacks (well, you shouldn’t argue this), but the other 22% is spread across almost every other vertical where consumers spend their time, money, and sensitive information on the internet such as social networking and online gaming (did you know that Cryptic Studios, makers of games such as City of Heroes and Star Trek Online just recently announced a breach of their own?).  This remaining 22% accounts for a significant amount of malicious email traffic daily and for the brands that are targeted even just once or only a handful of times, they suffer from a significant amount of brand loyalty loss and mistrust from their customers.  The takeaway here is not to assume that phishing is only a problem for the financial services companies.  Such a mentality leads to a letting down of your own guard, which makes your organization ripe to be the next target.

minute read

Popular stories



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time