September 15, 2014 By Douglas Bonderud 3 min read

PayPal is big business. According to Statistic Brain, the financial transaction site processes over $315 million in payments per day, serves over 106 million users across 340,000+ websites and represents 18 percent of all e-commerce traffic. So, it’s no surprise that cybercriminals are trying to hook unwary customers with financial phishing. More worrisome, however, is that they’re succeeding.

Financial Phishing

A recent article from Tripwire’s The State of Security reports that phishing emails targeting financial services such as PayPal increased by 8 percent this July. The result: 42 percent of all spam emails now target payment sites. But how do cybercriminals convince users to give up their access information?

It starts with messages from legitimate-looking email addresses. Gone are the days of strange symbols and misspelled words — these addresses are almost identical to those of trusted companies. The content of these emails has also evolved: Brand logos have been lifted, as have familiar colors and fonts.

Typically, this type of financial phishing mail offers “warnings” to consumers, claiming unauthorized activity has been detected or funds will be frozen unless they take immediate action to confirm their identity. The confirmation method? Occasionally it’s an attachment, but because many users have grown wise to this technique, the preferred method is now a link.

Consumers click and are taken to a near-perfect replica of PayPal or their bank of choice. Once they’ve entered login and password details, the system encounters an “error” and — yank! — the fraudster reels in the catch.

Poor Performance

Recent research from McAfee Labs indicates that 80 percent of all subjects tested failed to recognize at least one in every seven phishing emails. The security firm found that the most effective way to blunt user suspicion was through spoofed email addresses; the two test emails using this technique were missed by 63 and 47 percent of employees, respectively.

McAfee also discovered that financial phishing attacks “were using social media as a launch pad.” By leveraging content management and delivery technologies, it’s now possible for hackers to “see” the type of device used by an employee and then customize a phishing attack. The problem is clearly widespread; even PayPal has created a “Fight Phishing” challenge, which consists of five true-or-false questions about email content.

Unfortunately, these efforts don’t always work. According to a Bank Info Security article, it’s suspected that internal assets of JPMorgan Chase have come under attack via a phishing scam. Recently, the bank’s customers were targeted with a consumer-level phishing scam, and CEO John LaCour of security firm PhishLabs says it’s possible that an employee of the bank was also fooled or was compromised via a customer — bad news either way.

Getting Out of the Water

There are several ways to combat financial phishing emails. The first is avoiding the temptation to “name and shame,” or call out specific employees when a breach happens. While singling out the individual will provide some closure, it’s best done in private, not public; the goal is to improve policy and educate employees, not discourage them from reporting potential issues.

Perhaps the most effective method is simply getting out of the water. In other words, train employees to never respond from within the body of an email. This is the cybercriminal’s wading pool, littered with glittering hooks. Instead, always navigate to financial sites directly, and never reply to emails asking for a username or password.

Financial phishing is on the rise as criminals continue to target high-profile sites like PayPal. If you want employees to stay off the hook, get them out of the pool.

Image Source: Flickr

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today