A perfect Internet fraud storm is upon us. What is a cybercriminal to do? The answer: Almost anything they want.
No matter what government agency or security company report you read, it’s the same disheartening statistic – phishing, scamming, vishing, and smishing are all on the rise in unprecedented numbers. Indeed, the internet climate has changed, for the worse. These intrusions into our online life are more than the repetitive SMS phishing annoyance or scam phone call. Account Takeover (ATO) is now affecting brand loyalty and hitting companies harder than ever on their bottom line.
Account Takeover is particularly troublesome for victims and companies. In simple terms, attackers cull information from victims through phishing campaigns or social media. Their goal – to acquire sufficient personal information to masquerade as the victim and log in to their accounts. From there, attackers can change those account profiles, steal their money, and/or buy products. Often, these scams cause a direct loss to the account owner. This brings a cause of concern to the companies whose customers are victimized, as it increases their attrition rate.
WHAT’S A COMPANY TO DO?
We analyzed the content of a set of phishing sites compiled over the last 5 years to determine what these attackers are after. The sites’ content reveals what input is requested of the user by the phisher. The earliest data samples show that phishing sites were predominantly after credentials to log in and steal from victim accounts. Over the course of the past five years, however, we see an alarming uptick in the number of phishing sites that trick users into providing their personal identifying information, their PII. This is completely consistent with the huge increase in ATO attacks we are seeing today.
This below figure shows the trend in the danger of phishing sites. Sites are categorized as a significant danger if they trick users into providing only their contact information such as email addresses for future phishing campaigns, or telephone numbers for vishing and scamming.
- High danger signifies a phishing site that scams a user into providing account credentials. These are direct attacks against a user’s account, but less dangerous than Extreme phishing sites.
- Sites classified as extreme steal a user’s PII, including social security numbers, driver’s licenses, passport numbers, etc. You name it, they ask for it.
A clear indicator consistent with the increase in ATO shows that extremely dangerous phishing sites are on the rise. In today’s world, PII is golden. A recent Ponemon Institute report showed ATO losses have risen 72% from 2018-2019 to a whopping $6.8B and New account fraud (which can only occur when PII is stolen and misused) is up 88% in the same period of time.
One thing is clear, cybercriminals are after everyone’s information and they are far more successful today than ever before. Their spoof sites demonstrate this in clear terms. PII theft and ATO are on the rise and will increase rapidly with the unprecedented context in which we now live – a pandemic pushing everyone online, political turmoil, and now tax season. Being vigilant is helpful, but not enough. The internet’s climate has certainly changed. Without more technology that assists everyday users from being victimized, things will begin to spiral out of control.
Allure Security can help defend your company’s websites from being used for phishing and help protect customer PII and help prevent them from being the victim of an ATO. If you’d like to learn more about our solution email: [email protected].
