Every day, we are bombarded with emails, messages and notifications from all corners of the internet. The average person receives 46 push notifications, 121 emails and 94 text messages every day — it’s no wonder we are all seeking digital detox.

The difficulty is in applying perfect discernment to each and every message we receive, weighing up whether we need to respond and making sure it’s not a fraudster attempting to swindle us. This means checking that an email address hasn’t been spoofed, making sure that there aren’t odd characters in the URL of a login page, looking up whether the tax authorities send communications via SMS — unfortunately, not everyone has the energy, capability or attention span to be able to do so. It’s the reason phishing has become such a pervasive threat.

It also doesn’t help that phishing is generally thought of as an email-specific problem. The reality is 87% of phishing attacks take place outside of email. Phishing is continually evolving. When one tactic declines in effectiveness, new ones evolve, hence the reason it’s so important for businesses to be aware of the latest phishing techniques.

Here are some key phishing trends for 2020:

1. SSL phishing

HTTPS was touted as a way for internet users to determine the legitimacy of a website. But obviously, like many things on the internet, this trust signal has been soiled with various services popping up providing free SSL/TLS certificates.

According to the Anti Phishing Working Group (APWG), 58% of phishing sites make use of HTTPS and our own research shows that 60% of phishing attacks on mobile occur over HTTPS.

The padlock symbol can no longer be considered the marker of a safe site.

2. The use of punycode

7% of mobile phishing attacks now contain punycode. Punycode converts words that use unicode characters (from languages like Cyrillic, Greek and Hebrew, for example) into ASCII characters so that computers can understand them. Although this is a threat understood by the security community, it’s not one that the wider public is generally aware of.

The link below looks like the domain for American Express, but there is one subtle difference.


The ‘i’ is actually the unicode character ‘í.’ It’s easy to see how this can be missed, particularly on the smaller screens of smartphones.

Ideally, domain registrars wouldn’t let these look-a-like domains be registered, but this would have to be universally adopted by all registrars, which it is not, and probably never will be, as there is always going to be a market for look-a-like domains.

Browsers have considered using Internationalized Domain Name (IDN) policies to put protective mechanisms in place. This is by no means bulletproof, as vendors need to consider user experience for an international audience that uses other alphabets.

3. Big brand phishing

It’s easy to understand why big brands are used for phishing campaigns. If Amazon tells you your account has been hacked, you’re going to act quickly. Just in terms of reach and probabilities, it’s far more likely you’ll be the customer of a big brand rather than an independent.

Our Threat Research team found the top brands used in phishing campaigns with the top three being Apple, Paypal and Runescape. You can see the full list in our Mobile Threat Landscape Report.

The danger for businesses is that, according to the APWG, SaaS and webmail phishing surpassed payment phishing for the first time at the start of 2019 and has remained the biggest target for phishers. For companies that are moving to cloud services like G-Suite or Office 365, it’s important to be mindful that these services are becoming increasingly targeted by phishers.

There are some basic rules of thumb users can follow to protect themselves against phishing attacks, however, there is such a breadth of tactics used in delivery that they’re not always easy to detect. Phishing campaigns popup as quickly as they disappear, and they’re most dangerous in the zero day before security engines are able to detect them.

With phishing on the rise, according to Gartner, unless your business has a solution in place that is able to detect zero-day (unknown) phishing attacks across platforms, not just email, your employees will be left exposed to phishing threats. Wandera is a pioneer of zero-day phishing and our Mobile Threat Defense solution blocks phishing attacks in real time, where they are most prevalent for your users.