'Catching phish' takes being a step ahead of the crooks
Why does phishing matter in financial services? If nothing else, it’s a hassle. When customers click on fraudulent links that purport to be from your company, they could easily get confused or upset.
This leads to a call to your customer support line, tying up resources in the process. If customers become fraud victims through a website that matches your branding, that’s not good for your reputation. You might even face legal liability or at least the threat of it. There could also be costs associated with remediating credit problems and buying identity protection insurance for phishing victims and so forth.
Our recent Phishers’ Favorites report reveals that financial services firms are a popular target for this insidious form of hacking. Inspired by Billboard’s hit charts, the Phishers’ Favorites list used data from the third quarter of 2018 to highlight the 25 most commonly spoofed brands in North America. We compiled the list by counting phishing URLs that had been analyzed and detected by Vade Secure’s email filter engine. According to this analysis, financial services companies earned four of the top 10 slots — with PayPal at No. 2, followed by Bank of America at No. 4, Wells Fargo at No. 5 and Chase at No. 7.
Phishing is a type of cyberattack that tricks email recipients into clicking on harmful URLs. The URLs might plant malware on the user’s device or deceive them into sharing confidential information through a fraudulent form. In financial services, a phishing attack might trick a victim into disclosing personal identification information, which the phisher then uses to steal the victim’s identity. Or in the case of PayPal, harvesting credentials offers an immediate financial payback through the funds associated with these accounts.
To work, a phishing email must achieve two things. First, the email itself has to look as if it came from the financial services firm. Then, the URL in the phishing email must go to a website that looks exactly like the brand it’s imitating. Unfortunately, this is easier than one might imagine. Using a technique called “spoofing,” experienced hackers can create nearly identical copies of banking websites and email addresses.
You can check out some examples of phisher’s spoofing handiwork at www.IsItPhishing.AI. The question that may arise in your mind, though, is how can the phisher replicate the URL? Doesn’t Wells Fargo own www.wellsfargo.com? They do, but they may not own www.weIIsfargo.com. OK, come on … what’s going on here? The second URL uses capital “I” instead of lowercase “l.” It’s impossible to tell the difference.
There are many variants on this technique, like using .co instead of .com or adding a letter that escapes the notice of many busy email recipients. If you were in a big hurry, would you notice that an email from someone at paypal.co wasn’t really from the actual company? A lot of people miss details like that, especially when responding to email on mobile devices that don’t show the sender’s email address in the interface.
Phishing that affects social networks may also potentially have an impact on the security posture of financial firms. Facebook, for example, was among the top 10 most spoofed URLs on our third-quarter list. It had dropped from No. 3 to No. 6 since the second quarter, but it’s still a popular target, for good reason. Phishers who spoof social media sites can learn important personal details about their victims. With that data, they can then come back and conduct a “spear phishing” attack that singles out the victim by name. A spear phisher might write a personal-sounding email, pretending to be a friend or relative who is in need of funds, for instance.
This quarter, we added something new to Phishers’ Favorites, analyzing the day of week for each phishing URL. We found that overall, Tuesday and Thursday are the two most common days for phishing attacks, followed by Wednesday, Monday and Friday. From there, activity trails off significantly on Saturday and Sunday.
The one major exception to this pattern is Bank of America, with Saturday and Sunday being two most popular days for phishing attacks. One possible explanation is that hackers are trying to take advantage of bank branches and customer service lines being closed in order to make it harder for customers to verify that emails and pages are malicious.
While this certainly sounds plausible, the theory does not prove universally applicable across the banks on our list. For instance, Tuesday and Thursday are the biggest days for Wells Fargo phishing, while Thursday and Friday are the top days for Chase phishing.
Phishing is a serious problem in the financial services world. Fortunately, there are predictive email security solutions capable of detecting these advanced threats. Moreover, training and increased awareness among financial services employees and customers can also help mitigate the risk of phishing attacks.