September 15, 2014 By Douglas Bonderud 3 min read

PayPal is big business. According to Statistic Brain, the financial transaction site processes over $315 million in payments per day, serves over 106 million users across 340,000+ websites and represents 18 percent of all e-commerce traffic. So, it’s no surprise that cybercriminals are trying to hook unwary customers with financial phishing. More worrisome, however, is that they’re succeeding.

Financial Phishing

A recent article from Tripwire’s The State of Security reports that phishing emails targeting financial services such as PayPal increased by 8 percent this July. The result: 42 percent of all spam emails now target payment sites. But how do cybercriminals convince users to give up their access information?

It starts with messages from legitimate-looking email addresses. Gone are the days of strange symbols and misspelled words — these addresses are almost identical to those of trusted companies. The content of these emails has also evolved: Brand logos have been lifted, as have familiar colors and fonts.

Typically, this type of financial phishing mail offers “warnings” to consumers, claiming unauthorized activity has been detected or funds will be frozen unless they take immediate action to confirm their identity. The confirmation method? Occasionally it’s an attachment, but because many users have grown wise to this technique, the preferred method is now a link.

Consumers click and are taken to a near-perfect replica of PayPal or their bank of choice. Once they’ve entered login and password details, the system encounters an “error” and — yank! — the fraudster reels in the catch.

Poor Performance

Recent research from McAfee Labs indicates that 80 percent of all subjects tested failed to recognize at least one in every seven phishing emails. The security firm found that the most effective way to blunt user suspicion was through spoofed email addresses; the two test emails using this technique were missed by 63 and 47 percent of employees, respectively.

McAfee also discovered that financial phishing attacks “were using social media as a launch pad.” By leveraging content management and delivery technologies, it’s now possible for hackers to “see” the type of device used by an employee and then customize a phishing attack. The problem is clearly widespread; even PayPal has created a “Fight Phishing” challenge, which consists of five true-or-false questions about email content.

Unfortunately, these efforts don’t always work. According to a Bank Info Security article, it’s suspected that internal assets of JPMorgan Chase have come under attack via a phishing scam. Recently, the bank’s customers were targeted with a consumer-level phishing scam, and CEO John LaCour of security firm PhishLabs says it’s possible that an employee of the bank was also fooled or was compromised via a customer — bad news either way.

Getting Out of the Water

There are several ways to combat financial phishing emails. The first is avoiding the temptation to “name and shame,” or call out specific employees when a breach happens. While singling out the individual will provide some closure, it’s best done in private, not public; the goal is to improve policy and educate employees, not discourage them from reporting potential issues.

Perhaps the most effective method is simply getting out of the water. In other words, train employees to never respond from within the body of an email. This is the cybercriminal’s wading pool, littered with glittering hooks. Instead, always navigate to financial sites directly, and never reply to emails asking for a username or password.

Financial phishing is on the rise as criminals continue to target high-profile sites like PayPal. If you want employees to stay off the hook, get them out of the pool.

Image Source: Flickr

More from

CISA warns about credential access in FY23 risk & vulnerability assessment

3 min read - CISA released its Fiscal Year 2023 (FY23) Risk and Vulnerability Assessments (RVA) Analysis, providing a crucial look into the tactics and techniques threat actors employed to compromise critical infrastructure. The report is part of the agency’s ongoing effort to improve national cybersecurity through assessments of vulnerabilities in key sectors. Meanwhile, IBM’s X-Force Threat Intelligence Index 2024 has identified credential access as one of the most significant risks to organizations.Both reports shed light on the persistent and growing threat of credential…

Are we getting better at quantifying risk management?

4 min read - As cyber threats grow more sophisticated and pervasive, the need for effective risk management has never been greater. The challenge lies not only in defining risk mitigation strategy but also in quantifying risk in ways that resonate with business leaders. The ability to translate complex technical risks into understandable and actionable business terms has become a crucial component of securing the necessary resources for cybersecurity programs.What approach do companies use today for cyber risk quantification? And how has cyber risk…

Trends: Hardware gets AI updates in 2024

4 min read - The surge in artificial intelligence (AI) usage over the past two and a half years has dramatically changed not only software but hardware as well. As AI usage continues to evolve, PC makers have found in AI an opportunity to improve end-user devices by offering AI-specific hardware and marketing them as "AI PCs."Pre-AI hardware, adapted for AIA few years ago, AI often depended on hardware that was not explicitly designed for AI. One example is graphics processors. Nvidia Graphics Processing…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today