'Spearphishing' Fraud Hooks More Victims

How cybercriminals disguise themselves as your bank, your boss, or even the IRS

By JEN WIECZNER, SmartMoney

One fall day in 2009, the phones started ringing off the hook at the Virginia offices of Nacha, the electronic payments association that oversees the processing of billions of transactions each year. On the line were dozens of consumers and financial institutions, clamoring with questions about emails they'd received -- from Nacha, they believed -- telling them there was a problem with their payment.

The agency quickly realized its identity had been hacked. And it turned out to be only the first incident of many that since plagued Nacha with increasing frequency and sophistication. Over the past year, cybercriminals have sent out millions of messages -- as many as 167 million forged emails in a single day -- that use Nacha's logo, phone number, physical address and even verbiage from its own website in order to appear completely authentic -- all with the goal of filching sensitive financial data from Nacha's customers. "They're stealing our identity, just as they do anyone else's," says Scott Lang, Nacha's vice president of association services.

It's a potent new phase of the cybercrime wave: "Spearphishing," in which online scammers masquerade as legitimate corporations and government agencies and target the people most likely to open their emails. These messages increasingly look nearly identical to authentic emails from companies, commandeering everything from their email addresses to logos andelectronic watermarks. They usually lack the traditionally telltale signs of email scams, such as typos and jumbled sender addresses.

(More here.)