Phishing and Pharming: Are You and Your Customers at Risk?

Throughout history, people have used fishing and farming as a means of survival. In today’s computer age, cybercriminals are honing their phishing and pharming skills for a different kind of survival: Tricking unsuspecting individuals into revealing sensitive data that the cybercriminals then use to steal funds or identities.

These common cyberattacks can be devastating to customers, but they can be just as damaging to businesses: Dealing with phishing attacks alone costs large companies $3.7 million yearly.

To prevent their customers — and themselves — from falling victim, e-commerce merchants must understand how these cyberattacks work, what effect they can have on their businesses and the steps they should take to help secure customer data.

How Phishing Attacks Compromise Personal Data

A form of social engineering and identity theft, phishing scams try to trick individuals into revealing personal information, like Social Security numbers, user names and passwords, or credit card numbers. Fraudsters typically contact victims by text, email or phone, posing as an authority figure or a seemingly legitimate company to get the victim’s confidential data. They may even use actual company logos, authentic-sounding return email addresses and realistic-looking links in their communications to “spoof” unsuspecting customers into providing sensitive data. And these emails work: 30% of phishing emails get opened.

But e-mails are just one part of a fraudster’s scam to have victims submit their sensitive data right to a scammer’s database. Phishers may also install malicious software on computers, infect computers with viruses or even steal personal information off of computers.

Although many of these attacks take advantage of software and security weaknesses, they’re essentially still simple con jobs in which fraudsters disguise themselves as trustworthy individuals or businesses. And once they have their hands on a customer’s data, they’ll use it to open new credit card accounts or even commit identity theft.

Nearly 1.5 million new phishing sites are created monthly, and phishing attacks overall grew 250% in first-quarter 2016 — proof that recipients are still falling for them. Just last month, health- and fitness-tracking app MyFitnessPal was hit by a data breach, making its 150 million users at risk for receiving phishing messages.

The Widespread Risks of Pharming

Another common fraudster scam is pharming attacks, which also rely on the same fake websites and information theft. The goals of both attacks are the same: steal personal data and use it to apply for new credit cards, withdraw funds from the victims’ accounts, or even sell the data to buyers on the dark web.

But there are two ways in which pharming differs significantly from phishing.

1. Requires No Action by the Victim

Phishing attacks require victims to click a link to take them to the fraudulent website, but pharming attacks automatically install malicious code on a computer.

By “poisoning” the DNS cache — the stored list of previously visited websites — of computers, servers or networks, pharmers can misdirect users to fraudulent websites, even when they type the right address. As users start typing in a web address, like “PayP,” an autofilled suggestion seamlessly redirects the user to the fake website, where the user will log in as usual and unknowingly hand over their credentials.

Because this code requires neither consent nor knowledge to execute, many victims never realize their local DNS server has redirected their request to a fraudulent website.

2. Can Affect a Greater Number of People

Phishers also operate on a smaller scale, sending out thousands of emails in the hopes that a gullible victim will take the bait and click a link. But pharmers can scam anyone that visits a particular website — or even starts to type in the name of a web address — giving them a much wider reach.

These “domain spoofing” attacks are increasing, in part because fraudsters are looking for new ways to collect sensitive personal data from Internet users who are learning how to avoid phishing attacks. In 2017, a pharming attack hit more than 50 financial institutions and its customers in the United States, Europe and Asia-Pacific. Before it was stopped, the attack infected more than 3,000 computers in just three days.

But it’s not just large companies that are vulnerable. Drive-by hackers can even change the DNS setting on a customer’s insecure home router, allowing for the redirect to fraudulent websites.

How Merchants and Customers Can Help Prevent These Attacks

It’s easy for customers to believe they’re communicating with — and providing information to — a legitimate company. After all, the fraudsters are using real logos, legitimate-looking web addresses and realistic looking links.

One way to help reduce the risk of attacks is for merchants to assure customers that they’d never send any electronic communication that asks for personal data — and for customers to notify merchants if they receive any suspicious communication.

Merchants can also help customers avoid being a fraud victim by telling them to:

1. Avoid clicking on any links in an email; instead, open a new browser window and type the company’s web address.
2. If they must click on a link, first hover their mouse over it to ensure they’re being directed to a trusted source.
3. Report suspicious emails directly to the company from whom the email allegedly came. Many companies, like PayPal, even have a dedicated email address for customers to send suspicious communications.
4. Do not respond to data requests from companies with whom you have no relationship.
5. Only enter sensitive data on secure websites. Customers should look for website names that begin with “https,” have the lock symbol or have a certificate from a company like Verisign.

But when it comes to fraud prevention, it’s also important for merchants to up their cybersecurity game and put tools in place that will work 24/7/365 to identify emerging risk indicators and protect a merchant’s revenue and reputation.

If you’re not sure if your fraud prevention solution can keep pace with the quickly evolving world of fraud, contact a ClearSale analyst today. They can help you analyze the different fraud protection solutions available to you and demonstrate why ClearSale’s robust hybrid approach is the solution of choice for vendors worldwide.