Phishing Landscape 2023: An Annual Study of the Scope and Distribution of Phishing

The study, which analyzes over 11 million phishing reports collected from 1 May 2020 to 30 April 2023, provides annual and triennial measurements of phishing.

Phishing continues to defraud millions of Internet users and businesses each year. The U.S. FBI estimates $2 billion in losses from a single form of phishing called business email compromise (BEC). And these self-reported figures vastly underestimate the harm and losses.Recovery from data breaches where phishing was the initial vector can exceed $5 million per attack.

Among the major findings in the study, Interisle reports that:

  • The number of phishing attacks has tripled since May 2020, and has increased 65% over the 2022 yearly study period.

  • The number of unique domain names reported for phishing continues to increase. More than 1 million unique domain names were reported for phishing during the current yearly period.

And the growth is concentrated:

  • New gTLDs continue to host a disproportionate, growing share of phishing domains. Year after year, 90% of phishing domains in new gTLDs are in just 25 new gTLDs.

  • Phishers prefer to host their web pages in the US, and 42% of all phishing attacks were concentrated in just five US-based hosting networks.

  • User accounts created to host phishing web sites at subdomain providers more than doubled. 80% of these attacks occurred on accounts created at just eight providers.

The most disturbing finding?

  • Two-thirds of domain names reported for phishing across all TLDs were registered specifically to carry out a criminal act. Preventing the registration of these domains, and taking them down quicky, should be a priority for the domain name industry.

Phishing leverages Internet resources, exploits vulnerable technologies, and takes advantage of policy and legislative regimes that are siloed and often ineffective. Pervasive phishing and other cybercrimes contribute to a lack of consumer trust in online services, which in turn creates a drag on economic opportunity.

Phishing is a global threat. Fighting it effectively will require worldwide policy and legislative attention, the cooperation of domain name registries and registrars, Internet and web hosting service providers, and national and international government agencies. In the report, Interisle discusses how policy regimes can be more proactive in mitigating phishing, how governments might encourage effective phishing mitigation strategies, and what past and recent successes in litigating organizations where phishers most frequently obtain resources they use in for their criminal activities. These recommendations include, for domain names registries and registrars:

  1. Clear prohibition of the use of registered domain names to conduct fraudulent, illegal, or deceptive practices, including phishing.

  2. Requirement for swift suspension or cancellation by registrars and registries of domain names that are identified as maliciously or abusively registered.

  3. A duty for domain name registrars and registries to investigate reports of abuse in a timely manner that is clearly defined, and

  4. Adoption of preventative, proactive anti-abuse techniques.

The report emphasizes that mitigation requires cross-industry collaboration, and explains that hosting operators must also commit to these or similar proactive measures. The report also encourages governments to consider taking a more prominent role in ensuring such cybercrimes are less likely to emanate from their namespace.

In the absence of more effective mitigation measures and broader cooperation, litigation has shown to be an effective tool in stemming abuse. In late 2022, Freenom was sued by Meta and the impact was immediate. By January 2023, Freenom stopped offering domains names, and the number of Freenom domains used for phishing quickly plummeted. The report reviews more than a decade of lawsuits involving domain names to demonstrate that litigation has shown to be an effective tool in stemming abuse.

The opinions, findings, and conclusions or recommendations expressed in this report are the product of independent work conducted by Interisle Consulting Group, without direction or other influence from any outside party, including parties that may have provided funding to support the work.

Comments can be submitted to criminaldomainabuse@interisle.net

Previous
Previous

Cybercrime Supply Chain 2023: Measurements and Assessments of Cyber Attack Resources and Where Criminals Acquire Them

Next
Next

Malware Landscape 2023: A Study of the Scope and Distribution of Malware