Scammers are focused on monetary gain, which leads to phishing attacks targeting companies that provide financial services. A few months ago, mobile phishing campaigns targeted customers of a long line of banks, including HSBC, CIBC, Chase, and Scotiabank. Lloyds Bank customers were also the target of a recent email and SMS phishing attack. In addition to banks, technology companies that provide banking solutions are another focal point for hackers, with PayPal topping the list of most impersonated brands in phishing attacks.
The COVID-19 outbreak added to the vulnerability of brands and customers, as well as attackers’ motivation. Reports state that the total number of banking-focused phishing scams grew by over 2500%. Cybercriminals consider the current crisis an opportunity and exploit people’s increasing search for information by hijacking brands.
Bling Bling? Reasons for targeting financial services
- It’s all about the money: As we’ve mentioned, scammers want to reach our financial assets, and information such as social security, credit card numbers, and passwords can lead them right into customers' bank accounts. This information is also on high demand and therefore price tag, on the dark web.
- Trusted brands: Banks and financial companies are considered trustworthy. The information received from them is prioritized for example, through email or landing page and their questions are answered via voice, texts, online, you name it. Scammers impersonating these brands stand a better chance of collecting information that will assist their phishing plans.
- Digital transformation: The transition to online financial services enables attackers to issue more finance-related phishing scams. This is especially true in the social distancing era, as remote solutions become more essential than ever.
- Security vulnerabilities: You might expect that given the nature of financial services, their online channels would be as secure as it gets. In reality, these are often traditional organizations that made their transition to digital in recent years, still fall behind technologically, and often lack the appropriate security measures. Complex internal procedures and bureaucracy leave even more room for scammers to take advantage of the situation, because decisions regarding security take so long.
- A world of phishing possibilities: The plethora of online financial services combined with the variety of phishing scams creates an inviting playground for hackers, where each one can find different vulnerabilities to exploit, information to gather, and attack methods to specialize in. One scammer might focus on credit cards, while another is a master of social security fraud.
Plenty of phish: The types of phishing scams targeting financial services:
- Spear phishing: Unlike phishing attacks that target a large number of potential victims, spear-phishing attacks are far more targeted and specific. They aim at a small number of recipients who are often studied, predetermined, and hand-picked. Fraudsters seek victims out on social media, send them emails, and start a personal conversation. According to Peter Cassidy of APWG “They're even using live phone interviews, posing as a security administrator in the victim's own company."
- Spray and pray phishing attacks: Unlike spear-phishing, these sort of attacks target a massive number of recipients and are less personalized. Scammers normally do not tailor the attack’s content to fit a specific group in this case, but instead aim for the common denominator.
- Target type: Phishing scams may target consumers, company employees or executives. Each attack takes into consideration the nature of its targeted group and chooses the delivery method and content more likely to outwit the victims.
- Delivery method: Phishing attacks are as versatile as they are dangerous. Some involve online fraud through fake forms, others are based on online impersonation of brands and people, and new malicious tricks are added to the phishing playbook on a regular basis.
- Online channels: There are many possible channels for executing phishing scams. Websites are a leading channel and following the mobile revolution, apps joined the list. Today, social media networks are another popular channel for scammers, and every new popular network becomes a target.
The bank safe: How financial service providers can protect themselves?
There are a number of available anti-phishing solutions for companies, each one representing a different approach:
- Threat intelligence and Threat hunting solutions: Financial services companies own many online assets such as company websites, apps and such that require customers to provide personal information. Threat intelligence based anti-phishing solutions monitor and investigate these online domains in search of any anomalies that could indicate suspicious activity. Attempts to access bank accounts or even extended length of time in the account could indicate suspicious activity. Unlike threat hunting solutions which focus on hunting immediate threats, threat intelligence solutions collect intelligence on existing and emerging threats. This includes everything from the sale of credit cards to bank account details. By adopting a threat intelligence solution, financial services companies are in a better position to respond and stop threats before they emerge.
- Training and preparation: It’s true for all businesses, but financial services have little choice other than to invest in the latest tech tools and techniques, as well as test compliance and overall readiness. Procedures should focus on awareness, information management, backup and disaster recovery. This should be part of employee training on all levels. Keep in mind that employees who do not manage the company’s digital activity as part of their job are still active online throughout the day, at work or at home.
It’s time to beat them at their own game
Scammers are always on the lookout for vulnerabilities and loopholes they can take advantage of. And as an industry that is as profitable and lucrative as financial services, it's time to find ever-creative ways to outsmart these criminals. But how do you beat scammers at what they do best. That’s where BrandShield’s unique approach to anti-phishing comes in.
While there are a variety of anti-phishing solutions out there, the reality is that most of these solutions fail because they only go so far. At BrandShield, our proprietary anti-phishing solution not only detects phishing pages and websites but removes them.
Contact BrandShield today to schedule your demo and watch our comprehensive anti-phishing solution in action.