All the signs are that cyber criminals have dramatically ramped up the scale of their phishing attacks on both business and consumer users of the Internet, in the hope of harvesting financial credentials and other digital assets of value.
The Royal Mail has warned customers of scam emails that are being sent to people which fraudulently claim to be from the Royal Mail International.
The email claims that the service is holding an item for the customer and then asks recipients to open up a ZIPped attachment – which appears to be infected – and complete a document.
After learning this news, Royal Mail says that it will never ask for credit card numbers or other personal or confidential information via email, or ask customers to enter information on a page that is not part of the Royal Mail Web site. It adds that the company does not include attachments in an email unless requested by the customer.
The warning comes after a Manchester couple were found guilty late last week of a phishing scam that could have netted £19 million.
The scam, masterminded by a Nigerian gang, saw a 22-year-old man and his partner generate £41,000 in two months by staging phishing attacks on customers of banks such as Barclays and Halifax
Manchester Crown Court heard how the global Internet banking phishing scam could have netted £19 million for the entire (global) gang after the accounts of more than 2,400 people were hacked.
The scammers sent fraudulent emails to online banking customers, claiming their accounts had been hacked and asking them to complete an online form with their account plus login credentials.
According to the Manchester Evening News, a 22-year-old Nigerian has been jailed for three-and-a-half years after admitting conspiracy to commit fraud and unauthorised computer use. His girlfriend, meanwhile, admitted five counts of money laundering and was given a suspended prison sentence.
The newspaper says that Barclays and North West Regional Cyber Crime Unit investigators found evidence of the scam on seven devices at the Nigerian's home, which had accessed 181 accounts from his address. Barclays subsequently found more than 2,400 customers had been affected and investigators say the true scale of the fraud will never be known.
These are just two of several phishing sagas that have emerged in the last week, SCMagazineUK.com notes.
Clive Longbottom, co-founder and analyst with Quocirca, the business and research analysis house, says phishing attacks have a tendency to ramp up in the weeks prior to Christmas.
“The problem is that people do a lot of online shopping about now and share more details than they should,” he said, adding that people also tend to let their normal guard down because they are pressed for time.
Quocirca, he says, has also observed that cyber criminals almost operate their phishing attacks in a March to December time-frame, and then go on holiday with the proceeds of their crimes.
One consequential problem of phishing attacks that Longbottom and his team have discovered is that, if the card details have been successfully phished – and despite legislation designed to protect the interests of cardholders – the banks will sit on cases for several months, hoping to wear the customer down.
“In addition, if it's PCI DSS data that has been stolen as a result of a phishing attack, the bank will then go after the firm concerned for any costs involved,” he explained.
It really is, he told SCMagazineUK.com, a case of caveat emptor where phishing and its consequences are involved.
In addition, he says, spear phishing is also on the rise, and some of the latest attacks, he adds, are very clever indeed.
“The problem with spear phishing-driven malware is that conventional antivirus technology does not work where there are multiple links in an email. Even heuristic analysis does not always work,” he said.