Your data is worth money—and so is your money

E-mail scammers are focusing their energy on your bank account, numbers show.

 

He fell for it today. 

He got an e-mail that looked like it was from Apple.

“Your Apple Email ID, was used to purchase ‘Wildest Dreams’ Album by Taylor Swift,” it said.

He’s no Taylor Swift fan, and he wanted to make sure he got that charge off his account.

It wasn’t Apple, it was phishing. And he got hooked.

What did the cyber gangsters want?

“Basically, phishing is an attempt to obtain sensitive information,” a rep from cybersecurity company Kaspersky Lab said to Archer News.

That could be your username, your password, your data of birth—to use for further crimes or to sell on the back market.

But more and more, phishing teams are going for your money, rather than your data, according to Kaspersky Lab research.

“Financial phishing is one of the easiest ways for cybercriminals to earn illegal money,” Kaspersky Lab reported.

 

Example of Taylor Swift Apple Email phishing via en.emailfake.com.

 

Cheap & easy

Phishing is cheap and easy for the bad guys to carry out, researchers said.

Financial phishing grew from 2015 to 2016, with almost 50% of all phishing e-mails now falling into the financial or “steal-your-money” category, according to Kaspersky.

That category includes things like fake e-mails from banks asking for your account information, fake invoices from payment systems like PayPal and Visa, and mock webpages for Internet shops like Amazon, eBay and more.

As more people use these kinds of online financial services—and as the phishing gangs have more success with these attacks—the financial phishing crime rate goes up.

“For the first time in 2016, the detection of phishing pages which mimicked legitimate banking services took first place in the overall chart – as criminals sought to trick their victims into believing they were looking at genuine banking content or entering their details into real banking systems,” Kaspersky said in a report.

 

The percentage of financial phishing detected by Kaspersky Lab in 2014-2016. Image credit: Kaspersky Lab.

 

Be alert at work

You’re more likely to see phishing coming in on your work account than on your personal account, according to Google.

Corporate inboxes get 6.2 times as many phasing e-mails as personal inboxes, the company reported.

And the phishers have some favorite targets.

If you work for a finance or insurance company, you’ll get the most phishing messages, according to Google’s latest numbers. 

Next is the entertainment category, then information technologies, then transportation.

Phishing in action

People living in Australia received a message from what they thought was their power company in 2016.

AGL Energy—the same company that lit the first gas street lamps in Sydney in 1841—appeared to be offering the “speed and convenience” of electronic billing, plus a peek at your latest and rather steep electric bill.

It was a trap.

 

AGL Energy phishing e-mail from Kaspersky Lab. Image credit: Kaspersky Lab.

 

In some cases, a fake AGL Energy bill e-mail lead to ransomware, and people who click found their data frozen until they paid the blood money, reported The Newcastle Herald.

Ransomware is the” predominant type of malware being distributed via phishing,” according to a report by PhishLabs this month.

“We received a distress call from a local Melbourne painter, who told us his computer had been infected by a ransom virus and he could not access any of his emails, accounting files and family photos,” wrote Paul Zdzitowiecki of IT support business Computer Cures on LinkedIn. 

The painter had not backed up his data.

“We informed our client of the risks, and met with him to proceed to pay the ransom [$640], which was a complex and stressful process that took a week to complete,” he added.

 

AGL Energy plant in Australia. Scammers used the company name to trick AGL customers. Photo credit: UCL Engineering via Foter.com / CC BY-SA

 

Back again

The next finical phishing e-mail you receive may not be ransomware. It could be simply banking malware, that seeks out your account information.

The banking malware phishing attack dropped in popularity in 2014 and 2015, but is back again, Kaspersky Lab said, and people living in the U.S., Russia, Germany, Japan, India and Vietnam are the prime targets.

The attack could also come by phone.

The number of people running into Android malware jumped 430% percent to more than 300,000 people around the world in 2016, Kaspersky reported.

 

If you have an Android device and use banking apps, be extra careful when surfing the web, Kaspersky Lab recommended.

 

What can I do?

You can look for clues like bad spelling, grammar or punctuation. 

But not every phishing e-mail or website is unprofessional. The AGL Energy scam message even included an official-looking warning about the use of cookies on the site.

You can also protect yourself by checking the e-mail address of the account that sent you the message to see if looks legitimate.

Don’t click on links before checking them out. You an contact the company itself, rather than replying to the e-mail or clicking on the link.

“Always check the legitimacy of emails that you’re receiving from famous brands. Especially if it encourages you to do something urgently, like change your password,” Kaspersky advised. “Make sure that it was sent by a legitimate party and for example, contact your bank or payment system representative to find out if the email really has been sent by them to you.”

We were not cautious enough when it came to our financial data online in 2016 according to the Kaspersky report. And the crooks know it. 

But maybe we can take a closer look in 2017, like looking for “HTTPS” on the left side of the address line of the website before we make a payment on the Internet.

“The connection should be protected with HTTPS, and the domain should belong to the same organization that you’re going to pay,” Kaspersky said.