Q2 2024 Statistics and Analysis on Smishing Threats
Overview
AhnLab detects phishing messages based on machine learning and is conducting analysis and response work for them. This report contains an extensive analysis along with the statistics of smishing messages detected during the second quarter of 2024.
During this period, it can be seen that certain types of phishing attacks increased, including those using the guise of public offerings, short-term & part-time work, and government subsidies. On the other hand, other types showed a decrease including those disguised as wedding invitations, using the guise of false payments, impersonating family members, credit card companies, and public institutions, and those disguised as obituary notices.
The phishing messages included in this analysis are all malicious messages detected and collected by AhnLab products during the aforementioned period. Phishing refers to attacks that attempt to unlawfully obtain sensitive information such as passwords and credit card information from people by pretending to be from generally trusted sources. Smishing attacks covered in this report are a type of phishing using SMS messages that have been rapidly increasing over the past few years.
Past phishing attacks usually involved text messages including website links to phishing sites, luring recipients to visit them. However, as people became more cautious about clicking URLs in messages, threat actors gradually began diversifying their tactics. According to statistics for Q2, smishing attacks through KakaoTalk made up the highest portion at 39.6%, followed by attacks through URLs at 27.3% and attacks using the phone at 27.1%. Attacks through SMS were the least observed type at 1.5%. This means that smishing through KakaoTalk has risen to become a new major threat and users must be particularly cautious against attacks through messaging apps.
Analysis
Phishing Message Statistics in Q2 2024
An analysis of phishing messages collected in Q2 2024 is shown below. Out of the various types of smishing attacks (see Figure 1), those using the guise of public offering stocks were the most prominent, making up 31.8% of the whole. They were followed by those using the guise of short-term & part-time work at 18.3% and those impersonating institutions at 12.6%. Other types include those impersonating credit card companies (11.6%), disguised as obituary notices (9.2%), using the guise of government subsidies (8.6%), impersonating family members (4.2%), disguised as false payment notices (3.4%), and others (0.3%) in order.
The types that increased in comparison to Q1 2024 were those using the guise of stocks for public offerings, short-term & part-time work, and government subsidies, showing an increase of 136%, 41%, and 3% respectively. On the other hand, those masquerading as delivery services, public institutions, family members, obituary notices, credit card companies, false payment notices, and wedding invitations showed decreases of 26%, 30%, 41%, 47%, 53%, 60%, and 97% respectively.
Figure 1. Phishing message statistics by type in Q2 2024
Messages using the guise of stocks for public offerings offer pre-listing stocks at low prices and lure the recipient to a fraudulent website where they are prompted to make a cash deposit. Messages using the guise of short-term & part-time work promise high income and scam the recipient by luring them to initiate contact via KakaoTalk, and those impersonating institutions seem like actual public organizations, leading the recipient to a phishing website or attempt to extort personal information. Messages masquerading as credit card companies use card issuing or payment approval-related content to induce the victims to call the voice phishing organization disguised as a fake customer call center, attempting to steal information. Messages disguised as obituary notices request participating in the funeral and lure the recipient to click the URL, also aiming to steal information. Those using the guise of government subsidies prompt the user to call or add a KakaoTalk friend for the reason of loan approval. Messages impersonating family members fake emergency situations and request personal information or prompt the victim to install a remote control app. Messages disguised as false payment notices lure the victim to call a fake customer center through a fake payment alert. Other phishing messages include those disguised as wedding invitations and masquerading as delivery services. Details are given in cases by phishing message type.
An analysis of phishing message data collected during Q2 2024 showed that the distribution of phishing attacks by industry is as shown in Table 1. Attacks impersonating public institutions were the most prominent at 23.0%, followed by those related to financial industry services at 16.8%, and attacks impersonating shopping malls at 5.1%.
|
|
Industry |
Percentage |
|
1 |
Institutions |
23.0% |
|
2 |
Finance |
16.8% |
|
4 |
Shopping mall |
5.1% |
|
5 |
Parcel service |
0.4% |
|
6 |
Others |
54.7% |
Table 1. Phishing message statistics by industry in Q2 2024
A detailed examination of the financial sector showed that Shinhan Card was the most impersonated at 10.3%, followed by Samsung Card and Kookmin Card at 9.5% and 8.0% respectively. “Others” takes up a large portion, showing that there are frequent attacks using messages related to the financial industry without directly impersonating a certain bank or credit card company. Examples of these are given in cases by phishing message type.
|
|
Company |
Percentage |
|
1 |
Shinhan Card |
10.3% |
|
2 |
Samsung |
9.5% |
|
3 |
Kookmin Card |
8.0% |
|
4 |
Woori Card |
6.2% |
|
5 |
Shinhan Bank |
0.5% |
|
6 |
Nonghyup Bank |
0.2% |
|
7 |
Lotte Card |
0.2% |
|
8 |
Kookmin Bank |
0.1% |
|
9 |
IBK Bank |
0.1% |
|
10 |
Hyundai Card |
0.1% |
|
11 |
Others |
64.7% |
Table 2. Phishing message statistics by financial company in Q2 2024
In smishing activities related to government organizations, those that ranked high on the list include those that impersonated the Korea Environment Corporation at 50.9%, those impersonating the Korea Customs Service at 27.4%, and those impersonating the National Police Agency at 15.5%. The data show that attacks using the guise of the National Police Service and the National Health Insurance Service are being launched constantly and frequently.
|
|
Institution |
Percentage |
|
1 |
Korea Environment Corporation |
50.9% |
|
2 |
Korea Customs Service |
27.4% |
|
3 |
National Police Agency |
15.5% |
|
4 |
National Health Insurance Service |
6.2% |
[표 3] 2024년 2분기 기관 별 피싱 문자 비율
An examination of the logistics sector showed that messages impersonating CJ Logistics made up 45.4%, Coupang 11.8%, and Logen 11.2%, making up the top 3. This shows that the threat actors are scamming victims using widely-known delivery service brands.
|
|
Delivery Service |
Percentage |
|
1 |
CJ Logistics |
45.4% |
|
2 |
Coupang |
11.8% |
|
3 |
Logen |
11.2% |
|
4 |
Korea Postal Service |
9.2% |
|
5 |
Hanjin |
0.7% |
|
6 |
Lotte Global Logistics |
0.7% |
|
7 |
Others |
21.1% |
Table 4. Phishing message statistics by delivery service in Q2 2024
Lastly, an analysis of phishing methods revealed that attacks using KakaoTalk were the most common at 39.6%, followed by those using URL (27.3%), those using calls (27.1%), and those using SMS (1.5%). The data imply that smishing attacks using KakaoTalk are mainstream.
|
|
Phishing Method |
Percentage |
|
1 |
KakaoTalk |
39.6% |
|
2 |
URL |
27.3% |
|
3 |
Phone |
27.1% |
|
4 |
SMS |
1.5% |
|
5 |
Others |
4.5% |
Table 5. Phishing method statistics in Q2 2024
