Summary of Annual Phishing Activity
May 1, 2020 - April 30, 2021
Interisle Consulting Group used phishing data collected at the Cybercrime Information Center to measure phishing reports, phishing attacks, and the number of unique domain names reported for use in phishing attacks. The Group also measured famous brands that were targeted by phishers. A summary of their report, Phishing Landscape 2021: An Annual Study of the Scope and Distribution of Phishing, is published below.
Key Statistics
Table 1 provides a summary of key statistics from the annual study period.
| Measurement | Count |
|---|---|
| Total number of phishing reports this quarter | 1,487,914 |
| Phishing attacks reported | 695,823 |
| Unique domain names reported for phishing | 497,949 |
| Malicious phishing domain registrations | 322,145 |
| Top-level Domains (TLDs) where we observed phishing | 623 |
| Registrars that had gTLD domains under management reported for phishing | 997 |
| Hosting Networks (ASNs) where phishing web sites were reported | 4,110 |
| Brands targeted in phishing attacks | 1,804 |
Table 1. Key phishing statistics, May 2020 - April 2021
The total number of phishing reports is the sum of reports ingested from phishing feeds from 1 May 2020 – 30 April 2021.
The total number of phishing attacks is also a sum, of the attacks that identified using the methodology described on the Phishing Terminology page.
Unique domain names reported for phishing is based on a determination of “the first occurrence of a domain name in a phishing report”. This number compensates for domains which recur in multiple quarters during the yearly period.
The numbers of TLDs, gTLD registrars, and Hosting Networks where phishing occurred were obtained by counting each operator what appeared in the yearly study data (essentially, the length of the list of operators).
The number of brands targeted in phishing attacks was calculated during the processing of phishing attacks.
Visit the Phishing Terminology page for additional detail.
Figure 1 shows that the number of phishing domains reported, phishing attacks, and unique domains reported for phishing all trended up over the yearly period.
Figure 1. Trends of key statistics over the period May 2020 - April 2021
Prevalence of Phishing by Top-Level Domain (TLD)
Figure 2 shows how domain names used for phishing attacks were distributed across the top-level domains.
Figure 2. Distribution of domains used for phishing attacks, by Top-level Domain
41% of all domains reported for phishing were in .COM and .NET. This percentage is smaller than the combined 46% market share of these TLDs.
21% of phishing was in the new TLDs. This was 3.5 times the new TLDs’ market share of 6%, indicating that domains in the new gTLDs are used disproportionately for phishing.
34% of domains used for phishing were in ccTLDs. ccTLDs represent 43% of the domain name market.
The remaining 4% of phishing was in the legacy TLDs, roughly in line with their market share.
Malicious Domain Name Registrations
A maliciously registered domain is defined as a domain registered by a criminal to carry out a malicious or criminal act. These are distinguished from compromised domains, which are defined as domain names that were registered for legitimate purposes but co-opted by criminals through some form of compromise.
By discriminating maliciously registered phishing domains from compromised domains (web sites), one can identify the parties that are best positioned to act to prevent phishing.
See the Terminology page for a description of the methodology used for identifying maliciously registered domain names.
Figure 3 shows that, for the yearly period, 65% of phishing domains were classified as maliciously registered domain names.
Figure 3. Malicious domain registrations versus compromised domains, by TLD
Figure 3 shows that, in some TLDs, malicious phishing domain registrations dominate the cumulative count of phishing domains for the yearly period. In other TLDs, compromised domains (e.g., web site hostnames) influence the total number of reported phishing domains.
Certain Registrars Attract Phishers More Than Others
Malicious registrations indicate where phishers were able to purchase domains. Figure 4 shows that certain registrars have very high percentages of malicious domain registrations among their domains under management (DUM). For Figure 4, the measurement phishing score is used. Phishing score is calculated by dividing the number of phishing domain names reported against a gTLD registrar by the total number of domains managed by the gTLD registrar
Figure 4. Comparison of malicious domain registrations versus compromised domains using phishing score.
The reputation of a Top-level Domain can be adversely influenced by the registration practices of a single gTLD registrar. Table 2 shows five TLDs where more than 95% of the TLD’s malicious domain name registrations were under management at a single gTLD registrar.
Table 2. Top 5 TLDs adversely influenced by registration practices of a single gTLD registrar
Phishing attacks by hosting networks (Autonomous Systems)
Table 3 shows the five hosting networks (ASNs) that accumulated the most phishing attacks during the yearly period. See Phishing Terminology page for a description of how phishing attacks are measured.
| Rank | AS Name | AS number | # Routed IPv4 Addresses |
Cumulative Phishing Attacks ▼ |
| 1 | NAMECHEAP-NET | 22612 | 62,208 | 55,903 |
| 2 | CLOUDFLARENET | 13335 | 2,249,408 | 52,011 |
| 3 | UNIFIEDLAYER-AS-1 | 46606 | 1,385,856 | 35,363 |
| 4 | 15169 | 15,953,280 | 32,330 | |
| 5 | DIGITALOCEAN-ASN | 14061 | 2,379,072 | 15,794 |
Table 3. Top 5 hosting networks (ASNs), ranked by number of phishing attacks
Targeted brands
The Cybercrime Information Center collects data from several URL blocklists that identify targets in the metadata included in phishing reports. Using these and a complementing set of brand similarity identification rules, Interisle Consulting Group determined that phishers targeted 1,804 businesses or organizations during the yearly period, including banks, social media companies, webmail, and games, national tax services, universities, and cryptocurrency exchanges. The tree map in Figure 5 illustrates the most phished brands during the yearly period.
Figure 5. Most phished brands, May 2020 - April 2021.
See the Phishing Terminology page for an explanation of how targeted brands are identified.
The report, Phishing Landscape 2021: An Annual Study of the Scope and Distribution of Phishing, provides further analyses of these and other measurements.