Phishing goes local

In a post to TESC Crier, there’s a note about a phishing scam that targets Washington State Employee Credit Union members:

Two new email Phishing scams are targeting WSECU members.  The email appears to come from WSECU. In fact, it comes from an fraudulent source shown as ([email protected]) The two e-mail subject lines are: Enroll in “Challenge Questions” Authentication Now and Changes coming to online banking!

Phishing isn’t new. Banks being the target isn’t new. What strikes me about this is that the bank isn’t a national bank. It’s a smaller bank, on a more local scale. So, the scams are moving down the food chain toward the small banks, apparently.

This, to me, seems like a big deal because the smaller the scale of bank the more damage, overall, a service interruption could become. And, the smaller the bank, it seems to me, the less Internet fraud detection and recovery infrastructure there will be in place.

On the other hand, the smaller the bank the more likely there will be clues in the scam that give it away as not being genuine. At some level, the social engineering used by these scams requires that the individual not recognize there’s something wrong. So, the larger, more formal, more distant communication from the institution usually is, the easier that is to spoof. However, for smaller, more personal banks, one would think they would have more unique communication styles, perhaps more personal, that, if missing, would offer a clue to the individual that there’s a problem.

But, it’s still very interesting to see that a smaller, more local bank is being targetted by phishers. I suspect that the availability of e-mail addresses for the state colleges and universities, harvested from websites and list archives, makes state employee credit unions an easy target.

If the trend were to continue, I could imagine that Evil Personâ„¢ might harvest e-mail addresses off of local Olympia blogs, like Olyblog, and try phishing with fake e-mail from even more local banks, like South Sound or even Tulip. There’s a point where one might pass the point of diminishing returns, but then there’s also the fact that for every local bank here, there’s banks in other places on the same scale … so there’s an economy of scale to phishing lots of smaller banks, I suppose.

It will be interesting to see how the push of spam and phishing goes – if it goes more and more local, more and more targetted.

What if instead of random text, a spam tool used keywords or maybe even just the target e-mail to google up some related text and parsed that into the e-mail? It would be like being spammed by a million monkeys on typewriters, and could become a really surreal experience. It would be like personalized engrish, or a daily personalized message from Wm. S. Burroughs! Now, how cool would that be?