"Puddle Phishing" Hits Small Banks, Credit Unions

Phishers are baiting users of smaller banks, a security firm said Monday, calling the practice "puddle phishing."

"In the past, phishers focused on mainstream consumer sites with millions of users, but now the targets are becoming much smaller and more localized," said Dan Hubbard, senior director of security at Websense, in a statement. "By targeting a bank with just a few branches, the number of potential phishing prey is reduced to a much smaller number, sometimes to just a few thousand people. Nonetheless, the fact that we are seeing more and more of the smaller financial outlets being targeted by phishing attacks may indicate that this is a highly profitable scam."

San Diego, Calif.-based Websense has spotted more than 30 scams involving small-scale credit unions since the first of the year, Hubbard added, some of which have as few as 11 branches. One scheme targeted a credit union that serves employees and staff of the White House.

While the size of these targets may differ from mainstream phishing, the attack techniques are the same. "The style and dynamics are very similar on many of these recent puddle phishing attempts, which may mean that there is some tool sharing or a small amount of attackers behind this recent wave," said Hubbard.

And even though they're small, credit unions and local banks certainly fit the profile of phishing attack victims. In April, the most recent month for which there is data from the Anti-Phishing Working Group, 84 percent of the brands phished were from the financial services sector.