Where Does Phishing Start? This Report Lays it Out

June 03, 2021

Phishing threats seem like they’re everywhere. At the heart of many damaging cyberattacks, businesses and employee inboxes are endlessly under siege by dangerous phishing email. We know that those messages are being sent by cybercriminals who are trying to lure unwary employees into their traps. But where are they sending their poisoned messages from? 

In a study done by experts at Columbia University in concert with Barracuda, we get the answer to that question and more details about who is most involved in running phishing scams and what could be a clue that a message is illegitimate. Researchers studied a sample of more than 2 billion emails in order to discover the key geographic locations for practitioners of phishing-based cybercrime. The breakdown is a fascinating look at how geography factors in to determining if a message is genuine or phishing. 

Automated security isn’t a luxury. See why Graphus is a smart buy.

Location, Location, Location 

Where an email starts its journey to the target is a telling clue as to its intent. Just as phishing attackers have preyed on the large number of employees working remotely to carry out their schemes, cybercriminals are working remotely too In general, researchers found that countries with a higher probability of being the point of origin for phishing are typically located in parts of Eastern Europe, Central America, the Middle East and Africa. It is important to note that even though a country has a high volume of phishing originating from there, it can still have an extremely low probability of phishing. The study cited an example that showed that even though 129,369 phishing emails in the dataset were sent from the US, there’s still only a 0.02% probability of an email sent from the US being phishing, and most countries had a phishing probability of 10% or less. 

The countries which generate a higher volume of phishing emails (more than 1,000 emails in the dataset) are clustered in just a few regions. The study noted that messages with a higher probability of phishing originated from these locales (in descending order):   

  • Lithuania 
  • Latvia 
  • Serbia 
  • Ukraine 
  • Russia 
  • Bahamas 
  • Puerto Rico 
  • Colombia 
  • Iran 
  • Palestine 
  • Kazakhstan 

See the tide of phishing rise & fall to spot future trends in the eBook Fresh Phish. GET IT>>

Follow That ISP 

So who owns the networks that cybercriminals are using to send out their poison pen letters? Surprisingly, it’s the large cloud service providers that cybercriminals are using the most. These big players do have one major factor that drives them to the top of the list for the very highest number of phishing attacks originated – they have the largest total volume of emails sent.  

Which makes sense. More email, more phishing. An estimated 1 in 99 emails that a business receives are phishing messages. The majority of those messages are adjudicated by a human, and humans make mistakes. That’s why a precipitate increase in email volume is one of the triggers that spawned the current phishing crisis, and that crisis shows no signs of abating as email volume is expected to continue rising. Roughly 306.4 billion e-mails were estimated to have been sent and received each day in 2020, and this figure is expected to increase to over 376.4 billion daily emails by 2025. 

That means that while the probability of an email being sent using one of the major networks being a phishing email is very low, their total volume of phishing will be high simply from their outsized presence. The researchers also noted that they suspect that most of the attacks originating from these networks are coming from compromised email accounts or servers and that cybercriminals accessed those assets with compromised passwords. Amazon, Microsoft and Twitter had the highest volume of phishing emails sent from within their infrastructure.  

We’ll show you how to spot security risks fast with employee profiling! SEE THE DEMO>>

Frequent Flyers May Be Packing Disaster 

Researchers also noted that phishing emails are one-fifth more likely to take a circuitous path to their target. In their sample, about 60% of the phishing emails that they studied had traversed through two or fewer countries before arriving at their final destination. In contrast, 80% of benign emails had made their way to the target through two or fewer countries, including messages rife with ransomware. This indicates that a good feature for a phishing detection classifier could be to look at the number of distinct countries an email passes through before it arrives in an employee inbox, and if that number is high, that message may not be legitimate. 

Another telling clue could be the cloud provider. In the study, researchers noted that some of the highest volume phishing attacks and messages that have a high phishing probability are originating from just a few less well-known networks belonging to cloud service providers that don’t handle a high email volume. Those providers include LayerHost, Rackspace and Salesforce. Their networks have a much lower volume of total email traffic than the top three networks, but they are the point of origin for a significant amount of phishing email – which translates into a much higher probability of an email originating from their networks being malicious or carrying ransomware

What’s next in phishing? Find out in the 2021 State of Email Security Report! GET IT NOW>>

You Don’t Need to Remember These Details if You Have Graphus  

Why spend time hunting down the origin points of suspicious messages or trying to remember which cloud providers top the danger lists? When you have Graphus on the job, you don’t have to worry about keeping track of details like that. Smart, logical Graphus does it for you using a patented algorithm and more than 50 points of comparison to examine an email inside and out. Sophisticated, socially engineered phishing messages don’t stand a chance. Instead of just comparing origin points and senders against static “safe” lists, this antiphishing powerhouse learns your organization’s communication patterns to spot and stop 40% more phishing email than its competition.  

Graphus does it all with much less fuss too. Don’t spend hours configuring and updating an old-fashioned SEG or other conventional phishing solution when you can quickly, efficiently put Graphus to work for your business in minutes. Plus, it doesn’t need human intervention to find new risks and gain new threat intelligence. Graphus gathers its own threat intelligence as it processes messages. And it never stops learning to refine your company’s protection perfectly as you grow. The best part? All of these benefits happen automatically after a simple installation process. In just a few clicks, anyone can get Graphus online to protect their organization – even a CEO.    

Contact our experts today to set up a personalized demo and see how Graphus can benefit your business.   

Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.
Get a Demo of Graphus