The APWG’s new Phishing Activity Trends Report reveals that in the first quarter of 2022, the APWG observed 1,025,968 total phishing attacks — the worst quarter for phishing that APWG has observed to date. This quarter was the first time the three-month total has exceeded one million. APWG saw 384,291 attacks in March 2022, which was a record monthly total.


In the first quarter of 2022, APWG founding member OpSec Security reported that phishing attacks against the financial sector, including banks, account for 23.6% of all phishing. Attacks against webmail and software as a service (SAAS) providers remained prevalent as well, while attacks against retail/ecommerce sites fell from 17.3 to 14.6% after the holiday shopping season. Phishing against social media services rose markedly, from 8.5% of all attacks in 4Q2021 to 12.5% in Q1 2022. Phishing against cryptocurrency targets — such as cryptocurrency exchanges and wallet providers — increased from 6.5 in the previous quarter to 6.6% of attacks.


John Wilson, Senior Fellow of Threat Research at APWG member HelpSystems, tracks the identity theft technique known as “business email compromise” (BEC). In Q1 2022, 82% of BEC messages were sent from free webmail accounts. Of those, 60% used Gmail.com, and 18% of BEC messages were sent from attacker-controlled domains, of which NameCheap was the most popular registrar, according to Wilson.


APWG member PhishLabs by HelpSystems analyzes malicious emails reported by corporate users. John LaCour, Principal Product Strategist at PhishLabs by HelpSystems, reports that in Q1 2022, PhishLabs observed a 7% increase in credential theft phishing against enterprise users, up to nearly 59% of all malicious emails. LaCour also noted that 47% of social media threats were impersonation attacks, up from 27% the prior quarter. “A lot of companies don’t realize that their executives are being spoofed on social media. This is a huge business risk,” said LaCour.


Hank Schless, Senior Manager, Security Solutions at Lookout, says mobile phishing attacks are becoming the biggest concern for IT and security teams. “Mobile devices exist at the intersection of our work and personal lives. Being phished through social media or SMS on the same device you use for work could compromise your work data just as much as your personal data. Additionally, it’s harder to spot a phishing attack on a mobile device than it is on a desktop. A lot of the red flags that we have been trained to spot on desktops are nearly impossible to see on a mobile phone. Remote workers, and the mobile devices they use to stay productive, are outside the bounds of traditional security tools that have been set up in an office setting. Teams can get ahead of the problem by implementing a true mobile security tool across employee devices, which will keep your company safe from these types of attacks.”