eBay has fallen victim to a security breach, announcing last week that hackers infiltrated its systems in February or March and stole the customer names, passwords, email and physical addresses, phone numbers, and birth dates associated with “a large number of accounts.” eBay is recommending that customers change their passwords immediately.
But the potential fallout from the eBay hack is less about the passwords, which were encrypted, than about the other information that was stolen. Armed with names, email addresses and other personal information, the hackers can easily launching phishing attacks against the affected customers.
Phishing is a technique used by criminals to bait you into sharing sensitive corporate or personal information. Phishing started with phone scams, but has moved to the more lucrative waters of the Internet, where they can cast the widest possible net and lure the biggest catch.
Today, phishing occurs mostly through email, although instant messages, texts and social networking sites are popular avenues for attack. Usernames and passwords, financial account information, social security numbers and basic contact information are the most common targets of phishing attacks.
According to the CYREN Internet Threats Trend Report, phishing attacks aimed at PayPal users are the most prevalent, due to the wide acceptance of PayPal across the Internet and the ease with which funds can be transferred between accounts. (Ironically, PayPal is a wholly owned subsidiary of eBay.) The number of PayPal phishing attacks topped 1,300 a day in Q1 2014, a whopping 73 percent increase from 750 a day in Q4 2013.
Other top brands used to lure phishing email recipients are Apple, Poste Italiane, Barclays Bank, Battle.net and Sparkasse. However, organizations of all sizes are under siege.
Common phishing scams include:
- Phony requests to verify bank account or billing information
- Phony alerts of stolen credit cards or overdue payments
- Phony e-cards
- Phony job listings
- Phony prize-winning notifications
- Phony charities or political campaigns requesting donations
Phishers mimic logos and websites and pose as friends, business partners, clients, bank officials or IT staff. They often hook their targets by fooling people into clicking malicious links or opening attachments, which automatically engage and activate viruses and malware. Then, these criminals can use these compromised accounts to spread the misery to others.
There are simple ways to protect yourself and your business:
- Never email personal or financial data. Financial institutions will never request this information by email.
- Don’t click links or open attachments from unknown or suspicious senders, and don’t click suspicious links from anyone. Hover over the link to find out exactly where it will take you, or find a phone number directly from the source, not from the email, and verify the contents of the email.
- Never enter credit card or personal information unless the web address begins with https://. The “s” at the end means the data you enter will be encrypted.
- Educate employees about what types of emails are dangerous.
- Make sure all security software is automatically updated.
- Use centralized management tools for monitoring and updating email threats.
Phishing attacks are reaching epidemic proportions. Make sure your security systems are working properly and your staff is using common sense and extra caution when checking email. Call Atlantic-IT.net, your outsourced IT department, for assistance.