RSA finds two-thirds of phishing attacks directed at Canada

RSA Security researchers found that nearly 70% of phishing attacks were directed at users in Canada, while the majority of attacks come from U.S.-based ISPs and hosting providers.

A new RSA Security report on cyberfraud has troubling news for users north of the U.S. border.

The "RSA Quarterly Fraud Report: Q1 2020," released Thursday, examined a total of 50,119 incidents of fraud across the globe, with 54% attributed to phishing attacks. Daniel Cohen, RSA's head of anti-fraud products, said phishing is still the "go-to tool" for cybercriminals targeting end users at large.

According to the report, 66% of those phishing attacks were directed at users in a single country: Canada. RSA said Canada continued to dominate the list of top targeted countries for the fifth quarter in a row. "The country was the target of 7 out of 10 phishing attacks for the second year in a row, making it the top targeted country for every quarter of the last four. The United States was again second on the list [with just 7% of attacks]," RSA wrote in the report.

The report did not discuss why Canada has become such an overwhelmingly popular target with phishers. While RSA researchers noted a rise in COVID-19-related phishing attacks and social media scams, Canada's numbers for confirmed cases and deaths are low compared other countries such as the U.S., Brazil, Russia and Italy. Cohen said one factor is payment service provider Interac, which is used by a majority of Canadian financial institutions. “Most of the attacks target Interac so with a single attack, fraudsters target many Canadian banks,” he said.  

While the vast majority of phishing hit Canada in Q1, the report found most of those attacks came from the U.S. internet service providers (ISPs) and hosting providers in the U.S. accounted for almost 60% of phishing attacks in the quarter. Cohen said a major reason for the trend is that it's difficult for such large ISPs that to detect the malicious activity at scale.

"ISPs host a plethora of content, from small personal website to large enterprise sites. The former, unsurprisingly, are largely unprotected, with the website owner -- who is mostly uninformed of the risks -- not deploying the minimal security measures to protect their site," Cohen said. "Specifically, for the U.S. there are not a huge amount of said personal sites and fraudsters move quickly to compromise them and leverage them as staging grounds for their attacks."

RSA researchers also analyzed mobile app trends in the cyberfraud landscape. RSA defines mobile application fraud as mobile applications using an organization's brand without permission. While the overall volume of fraud originating on the web vs. mobile channels did not change much from Q4 2019 to Q1 2020, the distribution did.

"Q1 2020 was remarkable for the jump in volume of fraud transactions originating in a mobile app, rather than a mobile browser; it doubled from 13% in Q4 2019 to 26% in Q1 2020. This is the highest percentage of fraud transactions originating from a mobile app observed by RSA since Q2 2018," RSA wrote in the report.

"Mobile device fraud has been increasing in volume over the past several years as a result of users shifting from PCs to smartphones for activities like shopping and making transactions," Cohen said. "Now, with the pandemic causing people to do even more things online that we would usually do physically, like shopping for groceries, we're seeing mobile fraud transactions become even more prominent."

Online banking payments also saw an increase. RSA researchers observed that the percentage of transaction volume from new accounts doubled.

"One interesting development this quarter is that while the total percentage of new accounts being used for online banking logins and payments is still relatively low, at 1.5%, that figure is triple the .5% reported in Q4," RSA wrote in the report. Again, the security vendor said COVID-19 may have been a factor as investors looked for a safe place to put their money when stocks were dropping due to the pandemic.

Phishing continues to be a strong and primary attack vector going into Q2 2020, says Cohen, but RSA has also observed an increase in malware activity this year as well.

Next Steps

CrowdStrike breaks down 'Golden SAML' attack

Dig Deeper on Threats and vulnerabilities