Editor’s Note: The following post is an excerpt of a full report by Gemini Advisory. To read the entire analysis, click here to view the full report.

Background

Payment card and bank account phishing—a method in which fraudsters trick victims into unwittingly providing payment card data, login credentials, or personally identifiable information (PII)—has always been a popular criminal scheme. However, many indicators show that phishing attacks rose sharply in 2020. From 2019 to 2020:

• TheFBI reported a 110% increase in phishing victims
• Gemini identified a 72% increase in the volume of dark web forum posts referencing phishing
• Gemini identified a 101% increase in the volume of compromised US payment cards with a high likelihood of being phished that were posted for sale on the dark web

As Recorded Future’s Insikt Group has reported, the boom in phishing in 2020 has been facilitated by the proliferation of phishing-as-a-service (PhaaS). PhaaS—which includes customized phishing pages, “outsourced” spam phishing campaigns, and other web traffic schemes—makes it easier for less technically sophisticated fraudsters to engage in phishing, thereby increasing the pool of attackers. Furthermore, COVID-19 restrictions forced many fraudsters to look for criminal profits outside of well-established methods of exposing in-person transactions, known as Card Present (CP) transactions. Phishing, made easier through PhaaS, has offered fraudsters a way to seek new sources of profits by using fake sites to compromise payment card data, PII, login credentials, and bank account information.

Key Findings

• Phishing attacks sharply increased in 2020 with the FBI reporting a 110% increase in phishing victims. Gemini Advisory identified a 72% increase in the volume of dark web forum posts referencing phishing and a 101% increase in the volume of compromised US payment cards with a high likelihood of being phished that were posted to the dark web.
• Dark web actors are increasingly advertising bank-specific phishing pages and associated services that target customers of small and mid-sized financial institutions. This marks an expansion from established methods of creating generalized phishing sites or phishing sites for major companies with large customer bases.
• Fraudsters leverage “useless” compromised payment card data and personally identifiable information (PII) and “bank leads” to harvest victims’ email addresses, phone numbers, and financial institutions for the purpose of creating target lists.
• While small and mid-sized financial institutions, as well as their customers, are less accustomed to targeted phishing campaigns, the well-established best practices for protecting against phishing attacks serve as their best mitigation strategies.

Editor’s Note: This post was an excerpt of a full report by Gemini Advisory. To read the entire analysis, click here to view the full report.