Credit Unions, Smaller Institutions Now Phishing Targets

EBay and PayPal are no longer the primary targets of phishing emails; the phishers have cast their lures at customers of smaller businesses, including credit unions and other institutions, according to security vendor Sophos.

See Also: Strengthening Microsoft 365 with Human-centric Security

At this time last year, the number of messages pretending to be from eBay or its payment arm PayPal was about 85 percent of all phishing emails. Now it racks up 21 percent of the total phishing emails in September, says Graham Cluley, senior technology consultant at Sophos. "That's an impressive turnaround by anyone's standards," says Cluley.

“The phishers are not turning away from their life of crime, however,” he says. “They are now turning to a bigger pool of potential victims.”

This is confirmation of earlier stories that phishers are beginning to aggressively target progressively smaller institutions. (See Related Stories: Smaller Institutions and Phishing: Don’t Be Complacent; Online Attacks Increase at Financial Institutions).

The reason eBay and PayPal aren’t as popular targets as they used to be is attributed in part to online initiatives by those firms to educate their customers about phishing scams and to PayPal’s launch earlier in the year of its authentication token (See PayPal demo of its token: This allows customers concerned with being a victim of fraud when using PayPal to generate a password to get onto the payment site.

Unsuspecting fresh phish is baited by spoofing small credit unions, other online retailers and overseas companies, says Cluley. He adds the amount of phishing attacks circulating has stayed relatively consistent over the past year, but now phishers are using these different tactics to try and fool recipients. He cautions that phishers are beginning to diversify, and any institution could be a target.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.