Yikes! Online phishing attacks up 297% over last year

To prevent criminals from opening bank, utility and phone accounts in your name, you need more than a credit freeze. Here's what to do.

It's no question that online shopping has continued to grow over the past few years, making it easy to order anything you like from practically wherever you like.

But what's not so convenient is the slew of cybercriminals who have come along for the ride to steal your data and charge your credit card for goods you'll never receive. 

As retailers increasingly focus on selling merchandise through a variety of online channels such as Facebook and SnapChat, fraudsters are discovering new avenues to lure in unsuspecting victims. 

"It is the most common way to obtain stolen credit-card numbers," said Itay Kozuch, director of threat research of IntSights, a cyber-risk analytics company. "Instagram has become one of the leading vehicles for fraudsters to execute phishing attacks, as it is still a relatively new and uncharted channel for merchants and therefore is an easy way to capitalize."

While phishing – illegally capturing passwords and credit-card numbers – is nothing new, an investigation set out to uncover just how severe the threat has gotten over the past year.

In a joint venture with Riskified, an eCommerce fraud-prevention company, IntSights collected data on hundreds of thousands of illegal online purchases. The companies found that there was a 297 percent spike in the number of fake retail websites designed to phish for customer credentials from July to September 2017 to that same period in 2018.

How do the scammers do it?

Most online retail fraud involves a simple two-step process:  First, steal credit-card information. Then, order goods from a retailer.  The retailer fulfills the order and gets stuck with the bill after the real owner of the credit card disputes the unauthorized transaction.  The bank reverses the charge.

“As eCommerce continues its explosive growth, fraud has followed suit, making it very difficult for merchants to distinguish good customers from bad actors,” said Eido Gal, CEO of Riskified.

Gal said that inefficient fraud prevention costs merchants billions of dollars each year.

Why are online retailers easy targets?

For one, there's an abundance of merchants to target, many of which have weak security, according to experts. The risk is relatively low, but the potential payout is high. If one doesn't work, scammers can just move on to the next. 

Fraud, scams and theft have always been challenging for brick-and-mortar stores to deal with. But eCommerce complicates the landscape since people can use an IP address from one country, pay with a credit card from another and have a shipping address virtually anywhere on the planet.

"People tend to have a heightened sense of fraud when dealing with a financial institution," cybersecurity expert John Sileo said. "That's why scammers are more likely to use a retailer. They are lower risk targets. You're less likely to grow suspicious."   The identity theft expert is CEO of Sileo Group, which provides data privacy training through seminars.   Also, these online tricksters often build authentic-looking websites to fool shoppers.

"Scammers can register a domain for pretty cheap that looks like some everyday retailers you might be familiar with," said  Kevin Mitnick, a former computer criminal and founder of Mitnick Security Consulting. 

"Today, if they wanted to look like J.C. Penney, they could purchase JCPenny.US.com for just $21," Mitnick said. 

How can I protect myself? 

"The first step is to be aware that these online attacks exist," Mitnick said. "Be extra cautious when you see a link. Have an extra healthy dose of paranoia. Stop, look and think before you click that link."

The experts also suggested using anti-virus products that can detect malicious websites, along with two-factor authentication. When two-factor authentication is enabled, a user will receive a special code sent to their mobile device once they've entered a password.

"Be aware of spear phishing," Sileo said.  Spear phishing is a tactic used to trick the target into giving even more information.

"They might say they have your password so you trust them," Sileo said. "But it is just bait."

To view this article and other great current news items, please refer to the source.


Topics: Speaking Engagements, data theft, eCommerce, Eido Gal, fraudulent domains, fraudulent online purchases, Instagram, online attacks, IntSights, Mitnick Security Consulting, Riskified, credit card theft, cybercriminals, password theft, phishing, Itay Kozuch, Kevin Mitnick

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

Bypassing Key Card Access: Shoring Up Your Physical Security

As you build additional layers of defense into your cybersecurity framework, it's important to implement physical security strategies as well.

Read more ›

How to Prioritize Your Pentesting Report’s Remediation Recommendations

If you recently received a penetration test, you’re on the right track to improving your cybersecurity posture. However, you may be wondering what the..

Read more ›

Understanding Post-Inoculation Cybersecurity Attack Vectors

If you’ve recently improved your cybersecurity posture, you should know that the work to protect your company’s data is not over.

Read more ›