Every month, almost 1.5 million new phishing websites are created. This is according to a new report by Webroot, showing just how big of an industry phishing really is.

The Webroot Quarterly Threat Trends Report says that 1.385 million new phishing sites are created every month. May was the busiest of them all, with 2.3 million sites created.

The report also says these sites are getting more sophisticated and harder to detect, while the goal always remains the same – to trick the unsuspecting visitor into giving away personal information.

The interesting thing about these sites is that they stay up very short – between four and eight hours. That way they’re avoiding getting tracked or blacklisted. “Even if the lists are updated hourly, they are generally 3–5 days out of date by the time they’re made available, by which time the sites in question may have already victimized users and disappeared,” the report says.

Company impersonation is still one of the main techniques, with Google, Chase, Dropbox, PayPal and Facebook being the biggest targets.

Phishing scams cost American businesses $500 million a year, the FBI says.

“Today’s phishing attacks are incredibly sophisticated, with hackers obfuscating malicious URLs, using psychology, and information gleaned from reconnaissance to get you to click on a link,” Hal Lonas, Chief Technology Officer, Webroot, commented.

“Even savvy cybersecurity professionals can fall prey. Instead of blaming the victim, the industry needs to embrace a combination of user education and organizational protection with real-time intelligence to stay ahead of the ever-changing threat landscape.”