September 15, 2014 By Douglas Bonderud 3 min read

PayPal is big business. According to Statistic Brain, the financial transaction site processes over $315 million in payments per day, serves over 106 million users across 340,000+ websites and represents 18 percent of all e-commerce traffic. So, it’s no surprise that cybercriminals are trying to hook unwary customers with financial phishing. More worrisome, however, is that they’re succeeding.

Financial Phishing

A recent article from Tripwire’s The State of Security reports that phishing emails targeting financial services such as PayPal increased by 8 percent this July. The result: 42 percent of all spam emails now target payment sites. But how do cybercriminals convince users to give up their access information?

It starts with messages from legitimate-looking email addresses. Gone are the days of strange symbols and misspelled words — these addresses are almost identical to those of trusted companies. The content of these emails has also evolved: Brand logos have been lifted, as have familiar colors and fonts.

Typically, this type of financial phishing mail offers “warnings” to consumers, claiming unauthorized activity has been detected or funds will be frozen unless they take immediate action to confirm their identity. The confirmation method? Occasionally it’s an attachment, but because many users have grown wise to this technique, the preferred method is now a link.

Consumers click and are taken to a near-perfect replica of PayPal or their bank of choice. Once they’ve entered login and password details, the system encounters an “error” and — yank! — the fraudster reels in the catch.

Poor Performance

Recent research from McAfee Labs indicates that 80 percent of all subjects tested failed to recognize at least one in every seven phishing emails. The security firm found that the most effective way to blunt user suspicion was through spoofed email addresses; the two test emails using this technique were missed by 63 and 47 percent of employees, respectively.

McAfee also discovered that financial phishing attacks “were using social media as a launch pad.” By leveraging content management and delivery technologies, it’s now possible for hackers to “see” the type of device used by an employee and then customize a phishing attack. The problem is clearly widespread; even PayPal has created a “Fight Phishing” challenge, which consists of five true-or-false questions about email content.

Unfortunately, these efforts don’t always work. According to a Bank Info Security article, it’s suspected that internal assets of JPMorgan Chase have come under attack via a phishing scam. Recently, the bank’s customers were targeted with a consumer-level phishing scam, and CEO John LaCour of security firm PhishLabs says it’s possible that an employee of the bank was also fooled or was compromised via a customer — bad news either way.

Getting Out of the Water

There are several ways to combat financial phishing emails. The first is avoiding the temptation to “name and shame,” or call out specific employees when a breach happens. While singling out the individual will provide some closure, it’s best done in private, not public; the goal is to improve policy and educate employees, not discourage them from reporting potential issues.

Perhaps the most effective method is simply getting out of the water. In other words, train employees to never respond from within the body of an email. This is the cybercriminal’s wading pool, littered with glittering hooks. Instead, always navigate to financial sites directly, and never reply to emails asking for a username or password.

Financial phishing is on the rise as criminals continue to target high-profile sites like PayPal. If you want employees to stay off the hook, get them out of the pool.

Image Source: Flickr

More from

New memo reveals Biden’s cybersecurity priorities through fiscal year 2026

2 min read - On July 10, 2024, the White House released a new memo regarding the Biden administration’s cybersecurity investment priorities, initially proposed in July 2022. This new memorandum now marks the third time the Office of the National Cyber Director (ONCD), headed by Harry Coker, has released updated priorities and outlined procedures regarding the five core pillars of the National Cybersecurity Strategy Implementation Plan (NCSIP), now relevant through fiscal year 2026. Key highlights from the FY26 memorandum In the latest annual version…

How prepared are you for your first Gen AI disruption?

5 min read - Generative artificial intelligence (Gen AI) and its use by businesses to enhance operations and profits are the focus of innovation in virtually every sector and industry. Gartner predicts that global spending on AI software will surge from $124 billion in 2022 to $297 billion by 2027. Businesses are upskilling their teams and hiring costly experts to implement new use cases, new ways to leverage data and new ways to use open-source tooling and resources. What they have failed to look…

Cybersecurity crisis communication: What to do

4 min read - Cybersecurity experts tell organizations that the question is not if they will become the target of a cyberattack but when. Often, the focus of response preparedness is on the technical aspects — how to stop the breach from continuing, recovering data and getting the business back online. While these tasks are critical, many organizations overlook a key part of response preparedness: crisis communication. Because a brand’s reputation often takes a significant hit, a cyberattack can significantly affect the company’s future…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today