Phishers Are Zeroing in on Executives with Treasury Responsibility

Online criminals are broadcasting fewer scam e-mails but are zeroing in on more individuals who have substantial assets to protect or who have access to companies' or financial institutions' money-movement capability, according to the latest report on phishing from the Anti-Phishing Working Group. The report also indicates that merchants, banks, and other companies are less safe than ever, as these fraudsters attack more brands. “Once, only the largest banks were targeted,” said Peter Cassidy, the APWG's secretary general, in a statement. “Now, every kind of enterprise from banks to credit unions of all sizes to charities to, in a recent case, a hardware manufacturer, are now seeing their brands exploited in all manner of fraud schemes.” A record 356 brands were used in phishing exploits in October, according to the APWG's report for the fourth quarter of 2009, released over the weekend. The previous record, 341, had been set only in August. While that number dropped to 306 in November and 249 in December, the APWG is clearly alarmed by the trend among fraudsters to use a wider array of brand names in their malicious e-mails. “No brand is safe from the threat of spoofing for the purposes of online fraud,” Cassidy said. Further cause for alarm emerges from the organization's conclusion that online criminals are increasingly customizing their fraudulent e-mails, and in particular are trying to reach officers at financial institutions and companies who have responsibility for money transfers. Indeed, while reports of unique phishing e-mails dropped to 28,897 in December from the record high of 40,621 in August, that only means fraudsters are honing their attacks, the APWG says, to target persons with treasury authority. “Spear-phishing and whale-phishing, where individuals inside of corporations, or of high net worth [are targeted], appears to be increasing,” said Dave Jevans, the APWG's chairman, in a statement. These specialized phishing attacks are aimed at getting log-in credentials for corporate online-banking programs, virtual private networks, and other online systems, Jevans added. In other news from the report, payment services accounted for fully one-third of all phishing attacks tracked in the fourth quarter. This follows two quarters in which, for the first time, payments accounted for the largest share of attacks, the report says. Financial services accounted for 39% of attacks, with auction at 13%, retail at 2%, and other at 13%. The total number of desktop computers infected with some sort of malware used by phishers was 10.3 million, or 47.8% of all computers tracked. The APWG is made up of more than 1,800 companies and government agencies, including banks, online merchants, software vendors, and law-enforcement agencies. It was formed in 2003 in response to the rise of phishing, a crime in which fraudsters broadcast e-mails hoping to trick recipients into giving up log-in credentials or financial information, such as card numbers and PINs, that the criminals can use to loot accounts.