Cybercriminals are expanding the types of organisations they exploit in phishing attacks, says the Anti-Phishing Working Group (APWG).
According to the group's 'Phishing Activity Trends Report' for Q4 of 2009, a record number of 356 brands were hijacked in phishing attacks during October last year, thats 4.4 percent up on the previous year.
"No brand is safe from the threat of spoofing for the purposes of online fraud," said APWG secretary general Peter Cassidy.
"Once, only the largest banks were targeted. Now, every kind of enterprise from banks and credit unions of all sizes to charities to, in a recent case, a hardware manufacturer, are now seeing their brands exploited in all manner of fraud scheme."
The APWG said the number of unique phishing reports dropped by nearly 29 percent from August 2008 to 28,897 reports in December 2009.
However, the APWG said there had been a substantial increase in phishing focused on individuals with high net worths.
"Spear-phishing and whale-phishing, where targeted individuals inside of corporations, or of high net worth, appears to be increasing," added APWG chairman Dave Jevans.
Jevans explained that phishers and malware attackers are sending emails to individuals in a highly targeted fashion, attempting to gain access to corporate online banking systems, corporate VPN networks, and other online resources.
"These attacks do not contribute significantly to the overall number of unique phishing emails that are sent, as they are not using broad-based spam. Rather, the attackers customise their email messages to target individual users," Jevans said.
Mel Morris, CEO of security firm Prevx, said that the use of the same logins and passwords across a variety of online accounts was one issue that had not been highlighted in the APWG's report.
"In our experience criminals will use a variety of techniques to acquire information and credentials such as logins, date of birth, mother's maiden name, social security numbers and a home address," said Morris.
"Like a simple jigsaw puzzle, once a few pieces of information have been gathered, the picture soon appears and criminals can easily fill in the gaps."
Morris explained that in this way criminals can quickly harness a PC user's identity, gaining access to online banking and ecommerce passwords or completely taking over their identity, credit cards and bank accounts.
"This is why security is now very much about completely protecting people's information, at all times, and on all websites."