Online Phishing Attacks Up 297% Over Last Year

It's no question that online shopping has continued to grow over the past few years, making it easy to order anything you like from practically wherever you like.

Source: USA Today | Published on October 26, 2018

Phishing Icon Concept on the Blue Keyboard Button

But what's not so convenient is the slew of cybercriminals who have come along for the ride to steal your data and charge your credit card for goods you'll never receive.

As retailers increasingly focus on selling merchandise through a variety of online channels such as Facebook and SnapChat, fraudsters are discovering new avenues to lure in unsuspecting victims.

"It is the most common way to obtain stolen credit-card numbers," said Itay Kozuch, director of threat research of IntSights, a cyber-risk analytics company. "Instagram has become one of the leading vehicles for fraudsters to execute phishing attacks, as it is still a relatively new and uncharted channel for merchants and therefore is an easy way to capitalize."

While phishing – illegally capturing passwords and credit-card numbers – is nothing new, an investigation set out to uncover just how severe the threat has gotten over the past year.

In a joint venture with Riskified, an eCommerce fraud-prevention company, IntSights collected data on hundreds of thousands of illegal online purchases. The companies found that there was a 297 percent spike in the number of fake retail websites designed to phish for customer credentials from July to September 2017 to that same period in 2018.

How do the scammers do it?

Most online retail fraud involves a simple two-step process:

First, steal credit-card information. Then, order goods from a retailer.

The retailer fulfills the order and gets stuck with the bill after the real owner of the credit card disputes the unauthorized transaction. The bank reverses the charge.

“As eCommerce continues its explosive growth, fraud has followed suit, making it very difficult for merchants to distinguish good customers from bad actors,” said Eido Gal, CEO of Riskified.

Gal said that inefficient fraud prevention costs merchants billions of dollars each year.

Why are online retailers easy targets?

For one, there's an abundance of merchants to target, many of which have weak security, according to experts. The risk is relatively low, but the potential payout is high. If one doesn't work, scammers can just move on to the next.

Fraud, scams and theft have always been challenging for brick-and-mortar stores to deal with. But eCommerce complicates the landscape since people can use an IP address from one country, pay with a credit card from another and have a shipping address virtually anywhere on the planet.

"People tend to have a heightened sense of fraud when dealing with a financial institution," cybersecurity expert John Sileo said. "That's why scammers are more likely to use a retailer. They are lower risk targets. You're less likely to grow suspicious."

The identity theft expert is CEO of Sileo Group, which provides data privacy training through seminars.

Also, these online tricksters often build authentic-looking websites to fool shoppers.

"Scammers can register a domain for pretty cheap that looks like some everyday retailers you might be familiar with," said Kevin Mitnick, a former computer criminal and founder of Mitnick Security Consulting.

"Today, if they wanted to look like J.C. Penney, they could purchase JCPenny.US.com for just $21," Mitnick said.

How can I protect myself?

"The first step is to be aware that these online attacks exist," Mitnick said. "Be extra cautious when you see a link. Have an extra healthy dose of paranoia. Stop, look and think before you click that link."

The experts also suggested using anti-virus products that can detect malicious websites, along with two-factor authentication. When two-factor authentication is enabled, a user will receive a special code sent to their mobile device once they've entered a password.

"Be aware of spear phishing," Sileo said.

Spear phishing is a tactic used to trick the target into giving even more information.

"They might say they have your password so you trust them," Sileo said. "But it is just bait."