Loaves And phishes This is no nod to miracles In news reported earlier this week Panera Bread leaked data from its website tied to thousands of customer records ranging from individual names to addresses and e-mails and even partial credit card data Not the type of news thats easily digested Panera has said the breach hit fewer than 10 000 customers Security researchers say the breach is far more pervasive with estimates stating that as many as 37 million accounts may have been affected Of course the Panera news comes pretty much in tandem with the headlines that consumer credit card data was siphoned off by hackers from the Saks Fifth Avenue and Lord Taylor locations The group claiming responsibility for the retailer attacks known as the JokerStash hacking syndicate says it has stolen five million cards over the past year Differences of degree a wide one but not of kind The fact remains that records leaked mean that scammers now have fresh data with which to ply their trade Panera may be a gateway of sorts to new phishing attempts cobbled together from far-flung data sources More on that in a moment Are we back to the days of Target-sized breaches where POS is shorthand not just for point of sale but point of steal In an interview with PYMNTS Karen Webster Aaron Higbee CTO and co-founder of Cofense formerly PhishMe said that in reference to the Saks breach this one was a bit surprising obviously because were in the phishing defense business and the first time we see a big headline like this we start trying to look at our own intelligence sources but we dont have any examples as their previous phishing details so I say its still kind of to be determined how the hackers gained access to data And he added if the attackers had been in the system so to speak for a long time as the syndicate claims the true point of origin may never be uncovered But consider a few points along with a caveat Though not all attacks gain entry to victimized enterprises through phishing attempts as many as 90 percent of breaches do indeed start with phishing And phishing is a sure way to lure the unwitting in an age where multi-tasking across devices email accounts instant messaging and documents flying fast and furious makes an errant click-and-download a potentially disastrous event With a nod to the Panera event Higbee stated if you look at the type of data that was exposed it was customer names email addresses phone numbers and in some cases mailing addresses On the surface that seems more like a nuisance but in the right hands it wouldnt take too much programming knowledge to put together phishing scams because that would appeal to someone who uses the connection or reward system especially if you have their name and phone number Here then is a new ish tack by the bad guys Credit card data has its lures but is hardly evergreen Hackers as Webster noted use stolen cards in a hurry with an eye on racking up charges before the cards are shut down Its better business then for the bad actors to cobble together identities or lure prey through relatively sophisticated phishing attacks Team efforts are in play in this arena said Higbee when it comes to phishing The way that theyre organized there are certain teams that just merge data from different compromises Whats new on the bad news radar Well for starters said Higbee its tax season People are already stressed out thinking about filing their taxes and they dont want to make mistakes he noted So every year like clockwork you can bet on phishing-related scams And one of them that could be more nefarious is people submitting fraudulent returns on your behalf with banking credentials so that they get refunds sent to that account The personal details he said could have been gleaned from previous breaches including names and Social Security numbers The scams can even include fake W-2s Phishing the kind that leverages employees as an entry point to an enterprises data trove may be more widespread than many expect he said Cofense has found in its own analyses of phishing that 10 percent of the missives in a workers inbox are malicious in nature And so what that means he told Webster is that phishing e-mails are going through two layers of technology and only are discovered because employees are reporting it The links that are commonly cause for concern you know those links that you should not open are becoming a bit well well-hidden They may not be in plain sight within the body of an email but may instead be a link for example embedded in a PDF And then theres the urgent email from a company higher-up that seems legit urging a CFO or another executive to wire funds to an account To combat those schemes said Higbee every firm needs to have what he called a rigorous control process delineating who can send wires when a given executive or executives are out and who can authorize payments A lot of companies that are falling victim to phishing scams are missing that critical financial control and audit oversight procedure Suspicion abounds which is healthy and yet also causes friction Higbee stated that in the age of the cloud many firms are outsourcing business functions and programs with tools operating by dint of emails complete with you guessed it links By way of example he noted even with Cofense HR has seen employees reporting legitimate new benefits program rollouts Its a little bit inconvenient he acknowledged but Id rather have staff being suspicious and reporting than getting compromised You Might Also Like Cofense Cybersecurity data breach Featured News fraud lord taylor News Panera Bread Phishing Scam Saks Fifth Avenue