Phishing remains a surprisingly effective method at spreading malware. That’s despite our collective awareness of what constitutes a phishing scam and having learned not to click on links or open attachments without verifying their legitimacy first. But we also know that the scammers have gotten very good at their phishing business, and sometimes a scam is so well done that it fools even the best of us.
However, the scammers do have their preferred targets, and according to research from Kaspersky Lab, almost one third of all phishing attacks targeted online financial institutions, including banks, stores like Amazon, and e-payment services like PayPal. That makes sense; cybercriminals are grabbing the numbers that bring in money, like bank account and credit card numbers. The report also found that:
22.2 percent of all attacks involved fake bank websites; the share of banking phishing doubled compared with 2012; and 59.5 percent of banking phishing attacks exploited the names of just 25 international banks. The rest of the attacks used the names of 1000+ other banks.
And yet, the financial industry isn’t the top target in phishing scams. That dubious honor goes to social media. As an article in CSO stated:
Social networks were the top Phishing target in 2013, with nearly 36 percent of the overall volume, which makes sense given that those attacks often have a goal of propagation. If a person's social presence is compromised, then their friends and any associated accounts (especially if they recycle passwords), such as email, are likely to fall too.
If you use a computer, at some point in time you received a phishing email. I received a dozen this work week, including several that involved problems with my credit card and warnings that someone was trying to log on to my account, so I better click on the enclosed link and reset my password. (Um, no.) I’ve also gotten a couple of emails telling me that an invoice was incorrect and that if I wanted to get paid, I needed to fix it. The “invoice” was a malicious file (my security software caught that one instantly).
I knew enough not to click on the links, and my security software also did its job on an email that got past my spam filters. However, when someone does make the mistake and clicks on the wrong thing, fooled by the phishing scheme, it can be financially devastating, as an eSecurity Planet article reported. When a British school’s finance staff saw an email they thought was from the institute’s bank, they provided all of the information the note requested. Soon after, more than a million dollars disappeared from the school’s bank account.
No one can afford to lose that kind of money, of course. But you also have to stop and think, how certain are you that one of your employees won’t make the same kind of mistake?