New phishing scam gets personal |
 |
By Shawna McAlearney, News Editor
16 May 2005 | SearchSecurity.com |
|
|
A new, personalized phishing scam targeting customers of a number of leading banks is likely to be quite successful -- and may impact the bottom line of organizations that allow online transactions -- experts fear.
"A major impact of this scam could be loss of potential sales online," said Amir Orad, Cyota's executive vice president of marketing. "It will have an impact on the bottom line of every business that uses this channel of revenue."
Cyota Inc., which aids financial institutions with antifraud and online security measures, today announced it has detected a dangerous new phishing attack in which fraudsters are using stolen information to target account holders by name to lure them into divulging additional sensitive information.
According to the New York-based company, a merchant was the victim of a theft that
gave the attackers names, e-mail addresses and credit card numbers. Using this information, they sent out thousands of e-mails to individual customers, which appear to come from the actual bank that issued the credit card. It lists the card number and asks only for other information, such as a PIN, to create duplicate ATM cards. The victim's account is then cleaned out.
"While many phishing attacks have a 3% or 4% success rate on average, this one will be much higher," Orad said. "Once you get customer information, phishing becomes much easier. As more sensitive information becomes available through hacking, lost information and semi-legal transactions, it becomes harder to distinguish fraudulent communications from legitimate business ones."
Cyota said the motive behind this complex phishing scam is likely to "enhance existing lists of stolen credentials with even more sensitive information not yet possessed by the fraudsters, such as ATM PIN numbers or credit card CVD codes." In a statement, the company said, "These complete sets of credentials have a much higher resale value among the online fraud communities than just the names and account numbers."
A security manager at one financial firm declined to be named, but said that someone quite knowledgeable about banking must be involved in the scam. He believes that someone at a bank, credit card company or collections agency may be involved.
He added that though the group appears well organized, they aren't likely part of organized crime. "They know what to do, but don't have the resources of organized crime -- yet. If you had that kind of infiltration, why would you need to phish?"
Such phishing scams are difficult to defend against. Cyota recommends that if consumers get an e-mail from a bank or online merchant requesting personal or account information that they don't click on any link within the e-mail, but instead go directly to the site to verify the request or complete the transaction. Enterprises need to focus on user awareness and education to mitigate these scams.
|
|
|
|
