September 15, 2014 By Douglas Bonderud 2 min read

PayPal is big business. According to Statistic Brain, the financial transaction site processes over $315 million in payments per day, serves over 106 million users across 340,000+ websites and represents 18 percent of all e-commerce traffic. So, it’s no surprise that cybercriminals are trying to hook unwary customers with financial phishing. More worrisome, however, is that they’re succeeding.

Financial Phishing

A recent article from Tripwire’s The State of Security reports that phishing emails targeting financial services such as PayPal increased by 8 percent this July. The result: 42 percent of all spam emails now target payment sites. But how do cybercriminals convince users to give up their access information?

It starts with messages from legitimate-looking email addresses. Gone are the days of strange symbols and misspelled words — these addresses are almost identical to those of trusted companies. The content of these emails has also evolved: Brand logos have been lifted, as have familiar colors and fonts.

Typically, this type of financial phishing mail offers “warnings” to consumers, claiming unauthorized activity has been detected or funds will be frozen unless they take immediate action to confirm their identity. The confirmation method? Occasionally it’s an attachment, but because many users have grown wise to this technique, the preferred method is now a link.

Consumers click and are taken to a near-perfect replica of PayPal or their bank of choice. Once they’ve entered login and password details, the system encounters an “error” and — yank! — the fraudster reels in the catch.

Poor Performance

Recent research from McAfee Labs indicates that 80 percent of all subjects tested failed to recognize at least one in every seven phishing emails. The security firm found that the most effective way to blunt user suspicion was through spoofed email addresses; the two test emails using this technique were missed by 63 and 47 percent of employees, respectively.

McAfee also discovered that financial phishing attacks “were using social media as a launch pad.” By leveraging content management and delivery technologies, it’s now possible for hackers to “see” the type of device used by an employee and then customize a phishing attack. The problem is clearly widespread; even PayPal has created a “Fight Phishing” challenge, which consists of five true-or-false questions about email content.

Unfortunately, these efforts don’t always work. According to a Bank Info Security article, it’s suspected that internal assets of JPMorgan Chase have come under attack via a phishing scam. Recently, the bank’s customers were targeted with a consumer-level phishing scam, and CEO John LaCour of security firm PhishLabs says it’s possible that an employee of the bank was also fooled or was compromised via a customer — bad news either way.

Getting Out of the Water

There are several ways to combat financial phishing emails. The first is avoiding the temptation to “name and shame,” or call out specific employees when a breach happens. While singling out the individual will provide some closure, it’s best done in private, not public; the goal is to improve policy and educate employees, not discourage them from reporting potential issues.

Perhaps the most effective method is simply getting out of the water. In other words, train employees to never respond from within the body of an email. This is the cybercriminal’s wading pool, littered with glittering hooks. Instead, always navigate to financial sites directly, and never reply to emails asking for a username or password.

Financial phishing is on the rise as criminals continue to target high-profile sites like PayPal. If you want employees to stay off the hook, get them out of the pool.

Image Source: Flickr

More from News

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today