When criminals impersonate a financial institution’s websites or applications to defraud customers or obtain their credentials, they often target large brands like Chase or Bank of America, but a recent study shows that one in five smaller financial institutions may also be the subjects of impersonation.
That is according to
During the study period, the company detected 164 impersonation attacks against the 864 brands it monitored. Allure detected these attacks by monitoring websites — particularly newly launched and deceptively named sites — for signs that they were mimicking legitimate websites of the regional and community banks and credit unions.
“This volume of attacks proves that scammers have regional banks and credit unions in their crosshairs and these institutions can’t afford to consider themselves undeserving of scammers’ attention,” the report from Allure states.
The National Credit Union Administration lists roughly 3,100 credit unions having $150 billion or less in assets, and the Federal Deposit Insurance Corp. lists 4,800 insured institutions of that size. Allure said it randomly selected a representative sample from the combined group for the study.
The NCUA advises credit unions and their members that one common indicator of a phishing attack that involves a fake website is a spoofed hyperlink that has a subtle difference from the legitimate URL of a credit union or bank website — for example, with an “O” replaced with a “0”, or a capital “i” with a lowercase “L.”
Companies that sell domain names, such as GoDaddy and NameCheap, can unknowingly host fraudulent websites involved in impersonation attacks, so they often have a process for remediating such abuse. GoDaddy, for example, provides
However, fraudsters have many options for buying domain names online, and some of those options make it easy for them to do their work. That is according to Spamhaus, an international organization that tracks email spammers and spam-related activity.
“Some registrars have been directly owned and operated by abusers, while others simply do not do enough to stop or limit bad guys' access to an unlimited supply of domains,” reads
In some cases, financial institutions can go over these registrars’ heads to the Internet Corporation for Assigned Names and Numbers, which coordinates many domain name systems and registries across the world.
ICANN has two channels for resolving cases involving a website impersonating a brand, including its
Financial institutions can use software to scan the web for impersonations of their brand to more quickly neutralize them, but according to Allure, fraudsters sometimes use variations on bank and credit union URLs that are more difficult to automatically detect because they are not a look-alike of the legitimate URL.
A recent campaign targeting Quickbooks users claimed customers had their accounts suspended because of problems verifying their business information. It’s the latest example of scams that slither through multiple lines of defense.
The company said that 69% of impersonation attacks in the study used a URL that did not constitute a look-alike, such as generic addresses that misleadingly include “secure” in the name. According to Josh Shaul, CEO of Allure Security, these URLs that do not look anything like the mimicked bank’s real address, or don’t include the bank’s name, still work at a rate comparable to look-alike addresses.
“In the past, most of these scams were delivered by email,” Shaul said. “Today, these attacks are more often distributed by text message, so you get an SMS (text message) that says there’s fraud on your account, and the link they give you is always a URL shortener link — a bit.ly address or t.co.” The normalization of shortened URLs, Shaul said, can hide the actual web address being used.
Spokane Teachers Credit Union in Washington recently warned its members about a “sharp increase” in scammers trying to trick consumers with text-message-based attacks, some using these URL shortening tactics.
“While many banks and credit unions communicate with their members and customers via text and email, there often are tipoffs that a communication is inauthentic,” the credit union said in a statement to members. “Consumers are cautioned to avoid unfamiliar web addresses, and beware of illogical word choices, or misspelled words.”
Impersonation attacks often create a sense of urgency and importance by, for example, claiming the target needs to reset their password or claiming that their account has had suspicious activity — two tactics used in phishing texts sent to Spokane Teachers Credit Union members this March.
“Most of all: remember that your financial institution will never contact you asking for sensitive information,” the credit union said. “If you already have an account, then your financial institution knows your account number.”
According to Christopher Schnieper, senior director of fraud and identity at LexisNexis Risk Solutions, this type of communication with members is exactly what credit unions and banks need to do to mitigate their fraud and phishing risks.
Schnieper said banks need to remind their customers: “We're not going to call you for your password. We're not going to send you links in a text message. If somebody asks you for a one-time password, but you didn’t try to log in or call to request one, don’t give it to anybody.”
One important tip that financial institutions can share with their customers comes from the NCUA: Whenever a customer is unsure whether an email or text message request is legitimate, “try to verify it by contacting the entity directly, by another means, such as the phone.”