PhishLabs Releases 2017 Phishing Trends & Intelligence Report, Revealing Profound Shift in Who is Targeted and Why

Widespread acceptance of email addresses as User IDs and rampant password reuse have fundamentally reshaped modern cybercrime, driving a massive increase in phishing attacks targeting Cloud Services and SaaS providers.

CHARLESTON, S.C.--()--PhishLabs, the leading provider of 24/7 phishing defense and intelligence solutions, today released its 2017 Phishing Trends & Intelligence Report. Researched and authored by PhishLabs R.A.I.D. (Research, Analysis, and Intelligence Division), the report exposes significant changes in the fundamental dynamics and undercurrent of today’s phishing landscape that will impact organizations in profound ways for years to come.

The 2017 Phishing Trends & Intelligence Report can be downloaded at

“The business model of phishing has evolved. The bad guys have found ways to multiply their profits at the expense of organizations they aren’t even attacking directly,” said Joseph Opacki, PhishLabs Vice President of Threat Research. “The potential impact of this can’t be overstated. It needs everyone’s awareness and attention.”

Based on attack volume, cloud storage nearly surpassed financial institutions as the most phished industry in 2016. If current trends continue, attacks targeting cloud storage providers will outpace all others in 2017. This is a monumental shift from historic trends that reflects a prominent expansion of how phishers profit. Not only does this shift impact those targeted by phishing attacks directly, it also impacts any organization that relies on email addresses and passwords to authenticate their users.

While the volume of attacks targeting financial institutions continues to grow, the volume of attacks targeting sites with massive user bases, such as cloud storage providers, has exploded. Phishers are targeting these sites in order to mass harvest email address/password pairs. Due to the widespread reliance on email addresses instead of unique usernames and the frequency in which passwords are reused, a high percentage of these stolen credentials provide access to multiple accounts in addition to the account being directly phished; increasing the potential yield of a single attack exponentially. It also means that organizations using email addresses as usernames can reasonably assume that a significant portion of their users’ credentials have been compromised via phishing attacks that are not targeting them directly.

Additional key findings of the PhishLabs 2017 Phishing Trends & Intelligence Report include:

  • PhishLabs R.A.I.D. identified phishing sites residing on more than 170,000 unique domains, a 23% increase.
  • Phishing volume grew by an average of more than 33% across the five most-targeted industries.
  • Attacks targeting government tax authorities have grown more than 300% since 2014.
  • There were more IRS phishing attacks in January 2016 than there were in all of 2015.
  • Attacks on Canadian institutions grew 237%, more than any other country.
  • Ransomware attacks, the predominant type of malware being distributed via phishing, are now focusing on organizations that are more likely to pay ransoms, such as healthcare, government, critical infrastructure, education, and small businesses.
  • In a deviation from prior years, phishing volume peaked mid-year due to the influence of major global events, such as Brexit, and a spike in virtual web server compromises.
  • The share of attacks against targets in the United States continues to grow, accounting for more than 81% of all phishing attacks.
  • Although 59% of phishing sites were hosted in the United States, there was a significant increase in the number of phishing sites hosted in Eastern Europe.
  • Although the .COM top-level domain (TLD) was associated with more than half of all phishing sites in 2016, new generic TLDs are becoming a more popular option for phishing because they are low cost and can be used to create convincing phishing domains.
  • Of more than 29,000 phish kits analyzed, more than a third used techniques to evade detection. A phish kit is a collection of files containing the files and graphics needed to easily create a phishing site.

The information and analysis contained in the PhishLabs 2017 Phishing Trends and Intelligence Report is sourced from the company’s 24/7 operations and technologies used to fight back against phishing attacks. In 2016, PhishLabs analyzed nearly one million confirmed malicious phishing sites and mitigated more than 7,800 phishing attacks per month, investigating their underlying infrastructure and shutting them down. The company also analyzed thousands of unique malware samples from more than 100 ransomware variants and more than 20 banking Trojan families.

The report’s primary authors, Opacki, and Senior Security Threat Researcher Crane Hassold, will meet attendees, analysts and media at RSA Conference 2017, Feb. 13-16, in San Francisco. Both Opacki and Hassold are both former FBI subject-matter experts, and will present the report’s key findings in a live discussion. Space is limited and registration is required. PhishLabs also will host a webinar detailing the report’s key findings on Feb. 28.

About PhishLabs

Founded in 2008 and headquartered in Charleston, South Carolina, USA, PhishLabs provides 24/7 cybersecurity and threat intelligence services that help organizations fight back against attacks targeting their employees and customers. PhishLabs is trusted by four of the top five U.S. financial institutions, seven of the top 25 global financial institutions, leading social media and career sites, and top healthcare, retail, insurance and technology companies. In addition to mitigating more than 6,000 phishing attacks per month, PhishLabs clients benefit from real-world actionable intelligence, analysis, and guidance from the PhishLabs R.A.I.D. research division, which is comprised of some of the world’s most respected malware researchers, reverse engineers, and threat analysts focused on monitoring global attack trends, dissecting cyber tradecraft, and tracking cybercrime. For more information, visit and follow @phishlabs.

PhishLabs and T2 are registered trademarks or trademarks of Ecrime Management Strategies, Inc., in the United States and other countries. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.


Jim Engineer, +1 630-728-1387

Release Summary

Widespread acceptance of email addresses as User IDs and rampant password reuse have reshaped modern cybercrime, driving a huge increase in phishing attacks targeting Cloud Services, SaaS providers.


Jim Engineer, +1 630-728-1387