Banks combat rising threat of fake websites

Banks use blacklists, web beacons and the .bank domain to protect themselves from the use of websites that look legit but only exist to steal usernames and passwords.

Continued attempts by fraudsters to create fake banking websites and lure consumers in via phishing emails has heightened the need for banks to protect their website domains and networks.

Because fake bank websites come and go, sometimes in less than an hour before being exposed, it is hard to determine exactly how many of these traps are being set for unsuspecting consumers.

Credit Agricole, based in Paris, heads a list of most-impersonated brands with 17,755 unique phishing URLs. Such fake links are the mechanism by which fraudsters lure consumers into sites to provide personal and payment credentials.

Other financial services providers listed in Vade’s newly released worldwide phishing brands report for the first half of 2021 include La Banque Postale, also in Paris, with 7,180 phishing URLs; PayPal Holdings in San Jose, California, with 2,601; JPMorgan Chase in New York with 2,537; Wells Fargo in San Francisco with 1,564; and Square, also in San Francisco, with 786.

"The attackers tend to set up many URLs for phishing attacks, and as they age they'll pivot the ones that have been more successful in phishing attacks into websites for credential harvesting," said Drew Schiff, director of engagement services for fTLD Registry Services, a Washington-based firm that maintains the .bank domain for cybersecurity protection.

In that manner, a heavy flow of phishing URLs could result in a flood of fake websites.

"I should think the number of fake bank websites is in the hundreds of thousands," said Tari Schreider, senior analyst with Aite-Novarica Group. "A fake bank website quickly gets caught by many blacklisting sites, including email providers and managed security service providers, with notifications pushed out to everyone’s anti-malware software."

Still, one bad URL can cause a lot of damage in an hour, Schreider said. "First, clicking the link could activate a malicious software payload on a user," he said. "Or once the connection is made, a victim is duped into calling a fake phone number, where the fraud continues."

To counter the problem, fTLD provides a distinct domain, similar to .gov for government entities or .edu for universities and school districts, to assure consumers they are viewing legitimate websites. Its .bank domain currently is used by 675 banks for enhanced security against cyberattacks.

"We certainly hear from banks that they’ve found spoofed versions of their websites set up to harvest login credentials from their customers," Schiff said. "It's not an uncommon reason for banks to explore a move to .bank."

In the most common type of attack involving a fake URL, the consumer is tricked into entering credentials on the fake page, shown an error message (such as “invalid email address” or “invalid password”), and then passed to the real bank site. The customer assumes they simply had a typo in their password, so they re-enter username and password — this time on the real bank site.

"They are then allowed in as they normally would be, but in the meantime, the bad actor has harvested their email address and bank password on the first attempt," Schiff said.

Some banks deploy web-beacon technology to identify and take down phishing websites carrying the bank's name. If a threat actor unknowingly snares the web beacon — a small piece of code — while lifting material from a real site to use on a phishing site, the bank’s software can identify that the web beacon is being run on an invalid hosting domain. An alert is sent to the bank so it can take down the phishing website almost immediately.

"Protecting our customers' privacy and maintaining their trust is a fundamental priority at TD Bank," said Claudette McGowan, global executive officer for cybersecurity at Toronto-based TD Bank, where web beacons provide a key security layer.

"Our always-on approach to cybersecurity has become increasingly critical, and web beacons help us detect phishing in near real-time, reducing the likelihood of customers being exposed to fake websites," McGowan said.

However, such efforts haven’t scared off many bad actors, who often count on sheer volume alone to penetrate defenses.

In June 2020, tens of thousands of Wells Fargo customers were sent calendar invites, seemingly from a Wells Fargo security team, in an attempt to lure them into a fake Wells Fargo site where they were asked to input online banking credentials to help fix a technical glitch.

In January of 2021, security teams discovered a Citibank phishing website that used a convincing domain name and a lock icon near the address, providing a false sense of security for customers who land on the page. Online banking users tend to believe the lock icon lends authenticity to a page, but it generally only indicates submitted data is encrypted, according to BleepingComputer.com.

The Federal Financial Institutions Examination Council and the Payment Card Industry Security Standards Council are among the regulatory and industry entities that have sought to address the issue.

Last year, the FFIEC sent a bulletin to financial institutions reminding them the "primary method of ransomware infection is through the use of deceptive e-mails or malicious websites that imitate legitimate organizations or communications."