Phishing Landscape 2023

A Study of the Scope and Distribution of Phishing

Phishing defrauds millions of Internet users every year. Phishing attacks deceive victims with web sites that appear to be run by a trusted entity, such as a bank or a merchant, but are in fact controlled by a criminal. The phishing page is designed to persuade a victim to provide information that the phisher can use to steal money directly or obtain credentials that can be sold to other criminals.

For this 2023 study, we collected six million phishing reports from 1 May 2022 to 30 April 2023 from four widely used and respected threat intelligence providers: the Anti-Phishing Working Group (APWG), OpenPhish, PhishTank, and Spamhaus. From that data we identified more than 1.8 million unique phishing attacks.

Among the major findings….

New gTLDs represent only 8% of registered domain names worldwide but 25% of domains used for phishing. Year after year, just 25 new gTLDs account for 90% of all new gTLD phishing domains.

We analyzed more than 11 million phishing reports collected over a three-year period, from 1 May 2020 to 30 April 2023. We added triennial measurements and analyses so that we could consider questions such as: “How has phishing evolved over a three-year period?” and “Are phishers doing business at the same registry, registrar, or web hosting services year after year?”

Freenom’s demise redefined the phishing landscape

Phishing in the Freenom ccTLDs (.TK, .ML, .GA, .CF, and .GQ) was extensive for many years, because the domain names were free and Freenom anti-abuse measures were ineffective. In past years Freenom domains were used for 14% of all phishing attacks worldwide, and Freenom was responsible for 60% of the phishing domains reported in all the ccTLDs in November 2022. 

Freenom stopped offering registrations in January 2023, and its ccTLDs ceased to be a resource for new phishing domains.

You may read an Executive Summary of the Report or the complete Report at Interisle.net.