New Lures for Phishing
A recent security alert from the online payment processing company Stripe has informed users of a phishing scam that shows just how fast hackers adapt to the efforts used to counter their tactics.
Stripe is successfully used by small business owners, charities, and individual consumers for payment & donation processing. Recently, some customers may have received a fake email claiming to be from Stripe Support indicating that their account details are not valid, and until the user updates their information, no pending payments can be issued. The user is urged to quickly log into their account by clicking the link provided. Next, the user is taken to three websites that look nearly identical to the legitimate Stripe website. One page is intended to gather the user’s login credentials (email and password), the second is to collect their bank data and phone number, and then finally, the third page is to again gather their login credentials. What makes this more unique than your average phishing email is that once the user reaches the final page and attempts to log in, they’re told they have entered the “wrong username/password”, at which point, they are directed to the legitimate Stripe website. This tactic of redirecting to the legitimate website is used cyber criminals to make it less likely that the user will realize they have encountered a phishing attack.
Another key, very alarming difference about this scam is that it wasn’t allowing users to hover over the sender’s email or link information to verify it. Until now, this has been a great first step in perpetrating false emails, but as we now see, hackers have created a workaround for themselves so that even more cautious individuals won’t detect their scam.
Phishing remains the easiest way to access a broad group with a high likelihood of success. And as we are seeing with this case, it is going to continue to evolve.
How can you protect yourself? Remain diligent in your practice of pausing before you click. Go to the company directly rather than via a link within an email. Never provide login information before first verifying that it is legitimate.
Hackers are well aware that humans are a weak link in their organization’s security, which means they will continue to target employees to gain access to sensitive data. Employees must receive ongoing cybersecurity education so they can stay up to date with current threats and evolving tactics, as well as best practices for protecting themselves both at work and at home.