Go to listing page

Key Characteristics and Geographic Associations of Phishing Emails

Key Characteristics and Geographic Associations of Phishing Emails
A team of researchers analyzed the geography of phishing emails, along with the way they’re routed. Barracuda researchers teamed up with researchers from Columbia University to analyze the distribution of phishing emails across the world's geographies. For this study, the team examined more than 2 billion emails, along with 218,000 emails, sent in January last year.

Key findings

The team disclosed that phishing emails mostly originate from specific countries located in Central America, Eastern Europe, the Middle East, and Africa, and are routed through a higher number of locations.
  • The network infrastructure used to send phishing emails often belongs to large and legitimate cloud providers, such as Rackspace, Salesforce, Cherry Servers, LayerHost, and UnrealServers.
  • In phishing attacks, the attackers use social engineering to fool victims into giving up their personal information such as passwords, credit card numbers, usernames, or banking details.
  • While phishing detection methods are mostly aimed at the content of phishing emails and the behavior of attackers, complex phishing requires sophisticated or advanced methods to defend.

Other insights

Around 129,369 phishing emails were sent from the U.S., although the country only has a 0.02% probability of phishing attacks. Commonly, most of the countries had a phishing probability of 10% or less.
  • Over 80% of benign emails are routed via two or fewer countries and 60% of phishing emails routed via two or fewer countries.
  • High-volume phishing attackers (by network) have a high phishing probability and mostly belong to two cloud providers (Rackspace and Salesforce).

Recent phishing attack

There have been several incidents of cybercriminals targeting victims via phishing attacks.
  • Customers of stock-trading broker Robinhood were targeted with a phishing campaign, in which attackers attempted to steal credentials and spread malware using fake tax documents.
  • The Iranian threat actor TA453 was found using phishing campaign attacks to target senior medical professionals specialized in genetic, neurology, and oncology research in the U.S. and Israel.


The team of researchers has suggested several recommendations to protect against phishing attacks, such as implementing account-takeover protection and providing up-to-date user awareness training. In addition, deploying a reliable anti-spam and anti-phishing solution can help keep spam emails in check.
Cyware Publisher