Biggest phish in the sea? These banks are growing targets

October 31, 2018 9:00 PM

Phishing is the one cybersecurity issue that never seems to go away.

Despite the repeated warnings and efforts at raising customer awareness, cyberthieves continue to trick users with fake emails resembling legitimate ones, intended to direct them to a link where thieves can steal their credentials.

Perversely, cybercriminals are in fact exploiting that awareness, said Adrien Gendre, CEO of Vade Secure North America, which just released a report on phishing attempts via spoof emails in the third quarter.

“The biggest reason that banking customers continue to fall for phishing emails is fear," Gendre said. "Hackers have evolved from simple password-reset scams to emails that use fear to compel recipients to act, without scrutinizing the message properly."

For example, an email that states, “Your account has been suspended. Unlock it in the next 24 hours.” A customer clicks on the link and is redirected to a site set up by hackers. Most will remain unsuspecting, since many hackers now build legitimate-looking sites with unique URLs.

On top of that, hackers continue to refine the technical aspects of their phishing emails, Gendre said, "using techniques such as cousin domains, homoglyphs, or attacks that only render their content on mobile devices to take advantage of recipients being distracted or on the go.”

Following is a list of the banks that made Vade Secure's top 10 phishing list in the third quarter, along with insights into how lenders can protect themselves:

BofA is No. 1

Bank of America signage on the door of a branch location in Chicago.

With $2.28 trillion in assets, Bank of America was the most spoofed bank in the third quarter, according to Vade Secure.

Compared to the second quarter, the bank's customers saw a 57.4% increase in fake email attempts by cyberthieves. The good news? The success rate of these particular attacks is low, Gendre said. Still, it works for some.

"In general, 4% of the targets in any given phishing campaign will click it. And the more phishing emails someone has clicked, the more likely they are to do so again," Gendre said. "Therefore, successful cybersecurity strategies must blend technology to block more phishing attacks from reaching the inbox with education to train users how to detect those that do.”

Bank of America did not return requests for comment.

One more thing to worry about

Wells Fargo customers enter and exit a branch

A customer exits a Wells Fargo & Co. bank branch in Los Angeles, California, U.S., on Thursday, April 19, 2018. Wells Fargo & Co.'s financial ties to gunmakers and the National Rifle Association have prompted the American Federation of Teachers to remove the bank from its list of recommended mortgage lenders. Photographer: Patrick T. Fallon/Bloomberg

Patrick T. Fallon/Bloomberg

Wells Fargo customers have had more than their share of bad news given the raft of scandals at the bank. But it also remains a high- priority target for spoofers. The $1.95 trillion-asset institution's customers experienced a 21.5% increase in spoofing attempts in the third quarter, Vade Secure reported.

The bank declined to comment on specific attempts by cybercriminals against its customers, but said it remains on guard against cyberthreats.

"Wells Fargo has a strong team of security professionals dedicated to combating the ever-changing threat of cybercrime, protecting customers’ accounts and information, and ensuring that our online and mobile channels remain operational and available to service our customers’ needs," said a Wells Fargo spokeswoman.

"We encourage customers to be vigilant and take steps to protect themselves using tips found on our Fraud Information Center."

A growing target

A man stands outside a JPMorgan Chase & Co. bank branch in New York, U.S., on Wednesday, April 14, 2010. JPMorgan Chase & Co. said a "broad-based" economic recovery boosted first-quarter earnings 55 percent, surprising analysts with record fixed-income trading revenue and a better-than-expected outlook for consumer credit. Photographer: Jin Lee/Bloomberg

Jin Lee/Bloomberg

Among banks in the top 10 targets for phishers, JPMorgan Chase saw the biggest increase of spoofing attempts from last quarter — a surge of 352%.

There could be any number of reasons Chase caught the attention of cyberthieves, but Vade said an exploit opportunity may have been at issue.

“Most phishing attacks are coordinated by a small number of cybercriminal organizations who pick their target based on profitability," Gendre said. "The increase in Chase spoofing attempts is likely due to the fact that it’s currently more profitable to phish Chase customers. For instance, Chase might not be aware of new phishing pages early enough, giving hackers a bigger window for their attacks.”

JPMorgan declined to comment on the report's findings.

Payments are a natural target

Pedestrians walk past PayPal Holdings Inc. signage outside the company's headquarters in San Jose, California, U.S., on Tuesday, Jan. 24, 2017. PayPal Holdings Inc. is scheduled to release earnings figures on January 26. Photographer: David Paul Morris/Bloomberg

David Paul Morris/Bloomberg

Though not a bank, PayPal was the second-largest target of spoofed email attempts.

That is not a surprise, given the opportunity for an immediate payout and millions in daily transactions.

Among all first, Microsoft was first on the list. Also included were Netflix, Facebook, Orange, DHL and Dropbox.

The best time to go phishing

RESTRICTED: All financial Center images will need to be approved by Wendy Osucha and/or Lucie Fernandez prior to delivery. Signage featured in interior shots may have expiration date, please confirm before use and if expired, signage will need to be blurred/cropped. Any artwork visible in office or common areas are not licensed and will need to be cropped or blurred. Approved for use in Bank of America products promotional material and advertising without additional fees. Expires 4/21/2019. Client: Marrah Thomas

Joel Plotkin

Interestingly, it varies by banks when phishers are most likely to strike. Most attempts by phishers against BofA customers were done on Saturdays and Sundays, while Wells Fargo saw the most attempts on Tuesday and Thursday. For JPMorgan customers, the most spoofing emails were received on Thursdays and Fridays.

Still, Vade's report suggested banks need to be concerned most about the weekends.

"When branches and customer service lines are closed, hackers make it harder for recipients to verify that email and pages are malicious," the report said.

What banks can do

Banks can do more than just educate customers on the dangers of phishing emails and how to detect them.

“The No. 1 thing banks can do to reduce spoofing attempts is to take down phishing pages as quickly as possible," Gendre said.

Hackers specifically target brands that lag behind in removing phishing pages, as the greater window of availability increases the yield of their attacks, he added. "The sooner any business takes down phishing pages targeting their brand, the less hackers will target that brand.”

Old schemes get new life

Vintage phone on green background. Hotline support concept. 3d

Maksym Yemelyanov - Fotolia

Banks can also be alert that phishers aren't just using email. For example, some are reviving some old telephone spoofing scams, according to Krebs on Security.

Voice phishing scams are getting more complex, with hackers calling customers and asking them questions that they would expect from a bank, armed with some valid data and then getting the customer to confirm the rest.

“Email continues to be the primary attack vector for phishing, but we’re seeing phishing links spread across channels — from text messages to messaging apps like Skype and Slack, to file-sharing apps like OneDrive, SharePoint and Box," Gendre said.

"With the rise of SMS and messaging-based phishing, you have to be concerned with [bring your own device]. It’s not enough just to protect your perimeter. You need strong tools and processes to detect and block phishing URLs no matter where your employees try to access them.”