Website attacks are increasing while phishing emails are declining.

In its report New Web Threats in 2009, MessageLabs has identified this change:

“…from email based criminal activity such as malicious spam and virus infiltration to sophisticated online web-based attacks which deliberately prey on unsuspecting victims who are unfamiliar with the new wave of internet based threats.”

According to IBM’s X-Force 2009 Mid-Year Trend and Risk Report, phishing attacks declined significantly in the first half of 2009. At the same time online criminals are shifting to attacking websites instead.

"The decline in phishing and increases in other areas (such as banking Trojans) indicate the attackers may be moving their resources to other methods to obtain the gains that phishing once achieved.”

Avivah Litan, vice president and analyst at Gartner has been quoted, supporting IBM’s results.

“As a trend, cybercriminals are switching from [email] phishing to more ‘surreptitious’ malware attacks, she said. One reason for this shift is that email filtering mechanisms have been fairly successful at stopping the proliferation of phishing attacks. ‘We are hearing a lot more about malware and browser-based trojans than we are about phishing,’ Litan said.”

In its August report Spam evolution: January – June 2009 Kaspersky Lab has also documented a progressive decline in the proportion of phishing-related email spam.

According to Kaspersky Lab, phishing emails accounted for just over 0.2% of email traffic in June – a major reduction from January when they accounted for over 0.9%. Kaspersky Lab argues that as anti-phishing software is now more effective in protecting users against phishing, that cybercriminals are finding this tactic less attractive.

However, note: while the number of email-based phishing attacks may be declining, the overall volume of phishing activity may not be reducing. On 22 September, Cyveillance, a major cyber-security organisation, reported a significant increase in total phishing attacks over the previous three months when non-email channels are included. The company said that it is:

“…seeing a consistent increase in phishing attacks (176,864 over the past three months) with growth from areas outside traditional email spam; including social networking, voice and SMS texting.”