New PhishLabs Research Finds Sharp Jump in Attacks on Crypto As Overall Phishing Volume Increases 22%

Posted on August 17, 2021

Quarterly Threat Trends and Intelligence Report Finds Increase in Phishing Attacks Year-to-Date Over the First Six Months of 2020;
Qbot More Than Half of Payloads Encountered, as Darkside and Others Go Offline

August 17, 2021, Charleston, SC – PhishLabs, the leading provider of Digital Risk Protection solutions, today released their Quarterly Threat Trends and Intelligence Report. Overall, the first half of 2021 shows a 22 percent increase in the volume of phishing attacks over the same time period last year. Notably, however, phishing volume in June dipped dramatically for the first time in six months, immediately following a very high-volume in May.

“Bad actors continue to utilize phishing to fleece proprietary information, and are developing more sophisticated ways to do so based on growth in areas such as cryptocurrency and sites that use single-sign-on,” says John LaCour, Founder and CTO of PhishLabs. “That said, it’s interesting to see the significant dip from May to June 2021. We’ll continue to monitor through the summer and analyze if we’re seeing a trend in the right direction, or if attackers simply took a summer vacation.”

Key findings of the PhishLabs Quarterly Threat Trends and Intelligence Report include:

  1. Crypto is fully in attackers’ sights: This category experienced an increase of phishing attacks 10 times greater than the previous quarter in 2021. Notably, a combination of brand, executive, and employee impersonation attacks accounted for more than half (54.7 percent) of all social media attacks on the Cryptocurrency sector. Threat actors are impersonating cryptocurrency businesses to confuse customers and cash in on the sector’s skyrocketing growth in a medium where a majority of the industry’s communications takes place. 
  2. Social Media An Increasing Attack Vector for Enterprises: Since the beginning of 2021, the average business experienced approximately 34 attacks on social media per month. However, by June this number rose closer to 50, representing a 47 percent increase through the first half of 2021. 
  3. Office365 a Clear Target: Office 365 phishing is the top email threat to corporate users. Fifty-one percent of credential theft attacks found in corporate inboxes during the second quarter targeted O365 accounts.
  4. Single Sign On Is Increasingly Attractive to Bad Actors: Notably, the report shows an increasing pattern of threat actors targeting accounts used for single sign-on (SSO). Forty-five percent of phishing sites targeted accounts that are commonly used for SSO. 
  5. Ransomware Drives Shift in Email Payloads: On the flip side, there is a constant shifting of payload families, with a strong correlation to trends in ransomware. Qbot was the leader in the second quarter of 2021, making up more than half (54.1 percent) of the payloads encountered, followed by ZLoader (which declined sharply from Q1, possibly due to association with the Darkside ransomware group which claimed to be shutting down following the Colonial Pipeline attack in May).

“These core findings paint a very specific picture of what bad actors are turning to in order to infiltrate corporate accounts. For one, as they’ve gained prominence, crypto exchanges are being targeted with many of the same cyber threats that larger, more established financial institutions have faced for years. Crypto firms need to be aware of and better prepared to deal with online impersonation and other scams,” says LaCour. “Additionally, the continued increase in SSO attacks suggests that criminals recognize that compromising an account used for SSO can give them access to many more secondary accounts that trust the SSO account for authentication. This makes these platforms a highly rewarding target, especially if they gain access to Office365 at the enterprise level. An in-depth approach combining technology, user education and operational processes are needed to combat this trend.”

Additional trends outlined in the report include: 

  • Ongoing use of HTTPS-based attacks, which comprise 82 percent of phishing attacks, demonstrating that HTTPS alone is not enough to trust. 
  • the growth of vishing scams
  • increase in abuse of tunneling services
  • the continued abuse of free email accounts such as Gmail and Hotmail to launch phishing attacks

PhishLabs analyzed and mitigated hundreds of thousands of attacks targeting enterprise brands and employees in the second quarter of 2021. The report uses data from those attacks to determine key trends shaping the threat landscape.

PhishLabs Founder and CTO John LaCour will discuss key findings from the report in a webinar today at 2 p.m. ET. 

The PhishLabs Quarterly Threat Trends and Intelligence Report is available to download here.

About PhishLabs

PhishLabs is a cyber threat intelligence company that protects against brand, account takeover, and data leakage threats. Founded in 2008, we deliver curated threat intelligence and complete threat mitigation across the digital risk landscape. The world’s leading brands and companies rely on PhishLabs to find and remediate external threats wherever they live. For more information visit

Contact Us

Recent News

A PhishLabs report by security writer Brian Krebs was featured in a CNET article warning web users about HTTPS security fraud on the Internet.

Founder and CTO of PhishLabs John LaCour spoke with FBI Special Agent Davey Ware at the RSA Conference in San Francisco to talk about how vishing attacks work to defraud victims of their money and

Half of all phishing sites now have padlocks, but are anything but secure

Originally published in BLEEPINGCOMPUTER


Charleston-based cybersecurity company is named a top employer in South Carolina.