Allison here, with AllClear ID. It’s old news that hackers are creating phishing sites that are mimicking brands and other trustworthy websites in order to lull people into a sense of security and legitimacy. But, the new twist is that gaming sites like “Star Wars: The Old Republic” and “World of Warcraft” have been targeted as avenues to spread malicious links and to gather personal information for identity theft.

With World of Warcraft, phishers sent emails through the in-game mailboxes asking users to beta test the game’s newest expansion, “Mist of Pandaria.” Users who clicked the link were taken to a website where they would have to register and provide the credentials to their account. The Star Wars phishing scam was much worse, where users were subject to account verification checks. Not only did these checks ask for emails, but it also asked for answers to several security questions. It’s theorized that this was done to find those who use these emails and security answers for other accounts – such as banking and social media – so that hackers can get inside those other accounts as well.

These scams were caught in July, but this development coincides with a report from the Anti-Phishing Working Group that says the number of phishing sites is at an all-time high. More than 38 percent of the fake websites were related to financial services, according to the APWG’s report. The second most spoofed market vertical was payment services, followed by retail and other service sites. The sites spoofed 392 brands – also a new record – also coinciding with the trend that hackers and spammers are mimicking legitimate sites and brands as a way to get more victims and to steal more identities.

No one has been caught for starting these scams, but the gaming sites have boosted security and notified users of the problem. Even niche sites like an online gaming community aren’t safe from phishing scams and other cyberthreats, perhaps even more so since gamers interact with other people from all over the world without possibly ever meeting them. Overall, protection is simply a matter of being cautious when revealing personal information and credentials to accounts.