Phish Lure

Phishing Landscape 2020: A Study of the Scope and Distribution of Phishing

Interisle Consulting Group has published a new research report, Phishing Landscape 2020: A Study of the Scope and Distribution of Phishing.

The report can be found at and I’ve posted a blog at with personal insights.

Our goal in this study was to capture and analyze a large set of information about phishing attacks, to better understand how much phishing is taking place and where it is taking place, and to see if the data suggests better ways to fight phishing. We studied where phishers are getting the resources they need to perpetrate their crimes — where they obtain domain names, and what web hosting is used. This analysis can identify where additional phishing detection and mitigation efforts are needed and can identify vulnerable providers.

To assemble a deep and reliable set of data, we collected URLs, domain names, IP addresses, and other data about phishing attacks from four widely used and respected threat data providers: the Anti-Phishing Working Group (APWG), OpenPhish, PhishTank, and Spamhaus. (We greatly appreciate the cooperation from these providers).

Over a three-month collection period, we learned about more than 100,000 newly discovered phishing sites.

Our major findings and conclusions are based on the data we collected:

  1. Most phishing is concentrated at small numbers of domain registrars, domain registries, and hosting providers.
  2. Phishers themselves register more than half of the domain names on which phishing occurs.
  3. Domain name registrars and registry operators can prevent and mitigate large amounts of phishing by finding and suspending maliciously registered domains.
  4. Registries, registrars, and hosting providers should focus on both mitigation and prevention.
  5. The problem of phishing is bigger than is reported, and the exact size of the problem is unknown.
  6. Sixty-five percent of maliciously registered domain names are used for phishing within five days of registration.
  7. New top-level domains introduced since 2014 account for 9% of all registered domain names, but 18% of the domain names used for phishing.
  8. About 9% of phishing occurs at a small set of providers that offer subdomain services.