Complain about a product or service

Puddle Phishing: Online Fraud Goes Local

June 14, 2005
Phishing scams are going local, as online scam artists direct their efforts towards more targeted groups, including local banks and credit unions. Websense Security Labs, which reported the trend, calls it "puddle phishing."

Phishing • FDIC Warns Against Fake Bank Failure Scam • Consumers Want Better Online Banking Security • Puddle Phishing: Online Fraud Goes Local • New Phishing Attacks Target Specific Individuals • Online Banking Needs Stronger Security • Offline Identity Theft Still a Threat • Consumers Vulnerable To Exploitation Online and Off • FDIC Warns of Phishing Scam • Consumers Not Secretive Enough, Study Finds • Billions Lost in Phishing Scams • AOL Phishers Settle Federal Charges • AOL, PayPal Phishers Hooked • Citibank E-Mail Scam Making the Rounds • Amazon, Microsoft Sue Alleged Phishers, Spoofers • Teen-Aged Phisher Nabbed --- • Identity Theft News

Websense said it has seen a growing number of small credit unions targeted by puddle phishing scams -- more than 30 since the beginning of the year. One of the community banks recently targeted operates with as few as 11 branches.

A puddle phishing attack targeting a credit union that serves employees and staff of the White House was also reported by the Labs.

"In the past, phishers focused on mainstream consumer websites with millions of users, but now the targets are becoming much smaller and more localized," said Dan Hubbard, senior director of security and technology research at Websense.

"By targeting a bank with just a few branches, the number of potential phishing prey is reduced to a much smaller number, sometimes to just a few thousand people. Nonetheless, the fact that we are seeing more and more of the smaller financial outlets being targeted by phishing attacks may indicate that this is a highly profitable scam."

Although the specific size of the financial institution being targeted is a new phenomenon, the phishing method used by the attackers has not changed. The typical phishing email is still delivered as if it were from a legitimate financial institution and contains a message that threaten users' accounts being deactivated, blocked, or restricted in some way if they do not update their personal account information.

End users are instructed to visit a website where they are prompted to enter confidential information such as ATM pins, credit card numbers, Social Security Numbers, and email addresses.

"The attack style and dynamics are very similar on many of these recent puddle phishing attempts, which may mean that there is some tool sharing or a small amount of attackers behind this recent wave," Hubbard said.

According to the Anti-Phishing Working Group's (APWG) Phishing Activity Trends Report for April 2005, the most targeted industry sector for phishing attacks continues to be financial services, from the perspective of total number of unique phishing sites as well as number of companies targeted.

The financial services sector accounted for 84% of all hijacked brands in April. This category includes phishing attacks against community banks and credit unions in addition to well-known institutions with global brands.

Websense recently reported in its 2005 Web@Work "Phishing Trends Survey" that 45% of IT decision-makers surveyed stated that employees within their organization have clicked through URLs embedded within phishing emails. Half (50%) of the IT decision-makers surveyed do not believe that employees can accurately identify phishing sites and 32% of IT decision makers polled report that phishing attacks have caused security problems for their organizations in the past year.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

Share		Follow us on Twitter.

Back to the top |