Phishing campaign compromises Payoneer customer accounts

U.S. payments processing firm Payoneer has disclosed that some of its customer accounts were compromised as a result of a phishing campaign following reports from several users noting account breaches, password replacements, and fund exfiltration, according to The Record, a news site by cybersecurity firm Recorded Future. Attackers targeted a "very limited number" of Payoneer customers with fraudulent links redirecting to phishing sites that sought their account login information, said a spokesperson for the financial services firm. "We took swift action to contain the attempts at fraud from spreading," the spokesperson added. No further information on how Payoneer's security defenses were breached was provided. However, the incident comes after SMS-based multi-factor authentication solutions were noted by cybersecurity experts to be vulnerable to phishing attacks. "Sadly, in general, 80% of the MFA solutions people use are phishable. And everyone, when given a choice, should switch to phishing-resistant forms of MFA. Even CISA, Google, and Microsoft, are starting to try and push their customers to more phishing-resistant forms of MFA," said KnowBe4's Roger Grimes.