A new type of phishing attack uses stolen consumer data to invade customer bank accounts. Web security firm Cyota calls it "personalized phishing." It involves an organized gang of fraudsters using stolen information to target accountholders by name, scheming to lure individuals into divulging additional sensitive information.
Contrary to a typical phishing attack, where fraudsters send out hundreds of thousands of e-mails and hope for the best results possible, personalized phishing attacks target individual named accountholders at specific banks.
In order to achieve maximal effectiveness, the fraudsters use real stolen information about the accountholder such as the persons name, e-mail address, correct full account number, and other bank information to make the e-mail look more legitimate and give the accountholder a false sense of security.
The motive behind this sophisticated fraud is to enhance existing lists of stolen credentials with even more sensitive information not yet possessed by the fraudsters, such as ATM PIN numbers or credit card CVV codes. These complete sets of credentials have a much higher resale value among the online fraud communities than just the names and account numbers.
Personalized phishing dramatically increases the chances of accountholders responding to the attack and, if successful, provides fraudsters with even more valuable information that allows them to conduct extensive fraud, said Amir Orad, executive vice president of marketing at Cyota.
This highly coordinated, two-phase fraud attack demonstrates the lengths that fraudsters will go to maintain a high rate of success, and the need for constant innovation among banks and their security providers to match the continuing evolution of online threats, he said.
Cyota advises that if consumers get an e-mail from a bank or online merchant requesting personal or account information that they do not to click on any link within the e-mail, but instead go directly to the site to verify the request or complete the transaction.
Cyota provides online security and anti-fraud solutions for financial institutions.
