Financial Phishing: Cybercriminals Bait PayPal Users
PayPal is big business. According to Statistic Brain, the financial transaction site processes over $315 million in payments per day, serves over 106 million users across 340,000+ websites and represents 18 percent of all e-commerce traffic. So, it’s no surprise that cybercriminals are trying to hook unwary customers with financial phishing. More worrisome, however, is that they’re succeeding.
A recent article from Tripwire’s The State of Security reports that phishing emails targeting financial services such as PayPal increased by 8 percent this July. The result: 42 percent of all spam emails now target payment sites. But how do cybercriminals convince users to give up their access information?
It starts with messages from legitimate-looking email addresses. Gone are the days of strange symbols and misspelled words — these addresses are almost identical to those of trusted companies. The content of these emails has also evolved: Brand logos have been lifted, as have familiar colors and fonts.
Typically, this type of financial phishing mail offers “warnings” to consumers, claiming unauthorized activity has been detected or funds will be frozen unless they take immediate action to confirm their identity. The confirmation method? Occasionally it’s an attachment, but because many users have grown wise to this technique, the preferred method is now a link.
Consumers click and are taken to a near-perfect replica of PayPal or their bank of choice. Once they’ve entered login and password details, the system encounters an “error” and — yank! — the fraudster reels in the catch.
Recent research from McAfee Labs indicates that 80 percent of all subjects tested failed to recognize at least one in every seven phishing emails. The security firm found that the most effective way to blunt user suspicion was through spoofed email addresses; the two test emails using this technique were missed by 63 and 47 percent of employees, respectively.
McAfee also discovered that financial phishing attacks “were using social media as a launch pad.” By leveraging content management and delivery technologies, it’s now possible for hackers to “see” the type of device used by an employee and then customize a phishing attack. The problem is clearly widespread; even PayPal has created a “Fight Phishing” challenge, which consists of five true-or-false questions about email content.
Unfortunately, these efforts don’t always work. According to a Bank Info Security article, it’s suspected that internal assets of JPMorgan Chase have come under attack via a phishing scam. Recently, the bank’s customers were targeted with a consumer-level phishing scam, and CEO John LaCour of security firm PhishLabs says it’s possible that an employee of the bank was also fooled or was compromised via a customer — bad news either way.
Getting Out of the Water
There are several ways to combat financial phishing emails. The first is avoiding the temptation to “name and shame,” or call out specific employees when a breach happens. While singling out the individual will provide some closure, it’s best done in private, not public; the goal is to improve policy and educate employees, not discourage them from reporting potential issues.
Perhaps the most effective method is simply getting out of the water. In other words, train employees to never respond from within the body of an email. This is the cybercriminal’s wading pool, littered with glittering hooks. Instead, always navigate to financial sites directly, and never reply to emails asking for a username or password.
Financial phishing is on the rise as criminals continue to target high-profile sites like PayPal. If you want employees to stay off the hook, get them out of the pool.
Image Source: Flickr