What bankers can learn from recent phishing attacks

Troubled bearded guy holding credit card and using laptop

A recent phishing campaign attempted to lure Intuit users into providing their account credentials to scammers with a claim that their Quickbooks account was suspended.

The email featured Intuit branding and a prominent button asking users to “Complete Verification” to have their account status reviewed. Impersonating Intuit, the scammers said in the email they were “unable to verify some information” on the user’s account.

So far this year, Intuit has released five security notices to customers regarding phishing campaigns, including about the most recent attack. The episodes highlight some of the shortcomings of common anti-phishing measures and the need for financial institutions to educate users about avoiding attacks.

Phishing remains by far the most common type of internet crime, according to a March report from the FBI, netting 320,000 victims last year and $44 million in losses. The second most common crime, which hit 82,000 victims, involves people not getting paid for goods or services provided or not receiving goods or services for which they paid.

Technical remedies to some aspects of phishing exist, including email authentication standards known as DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). When implemented, these standards help identify when scammers have spoofed an email address. A spokeswoman for Intuit said the company uses all three on all its domains and subdomains.

However, these technical remedies have their own weaknesses and do not address the use of legitimate-looking email addresses. For example, two phishing campaigns in April came from a domain name that includes the word Intuit — intuit-solution.com, which is now registered on many anti-spam lists. Although Intuit has implemented anti-spoofing standards, these efforts do not impact domains it does not control.

Indeed, Intuit does not own or control intuit-solution.com, according to a company spokeswoman.

Intuit, like many other companies, lets customers verify that an email or other message is legitimate by signing into their Intuit account and viewing their account activity to check what emails Intuit has sent them.

Erich Kron, security awareness advocate at the security training company Knowbe4, said customers ought to use this method to verify the legitimacy of emails that ask for personal information or credentials or evoke a sense of urgency.

“Whenever a person receives a phone call, text message or email that has such an urgent message, people should log into the associated website directly rather than following the provided link,” Kron said. “If there is a problem with the account or application, it will be noted in the user’s dashboard.”

For consumers and businesses looking to fight back against phishing attacks, multiple lines of defense exist. In cases where a person has divulged credentials to a phisher, multifactor authentication can provide a safety net. In cases where a person has downloaded an attachment from a phishing email, antivirus software can help. Intuit recommends using both strategies.

Companies also provide email defense services that are designed to prevent phishing and other scam emails from making it to potential victim inboxes in the first place. These companies include SpamTitan, Proofpoint, Avanan, and larger firms including Microsoft and Cisco.

While email providers such as Google and Yahoo provide spam filtering and phishing reporting as part of their standard services, email defense companies differentiate themselves with an advanced focus on phishing using different techniques.

One email defense company, Cloudflare Area 1 Security, crawls billions of web pages each month, which the company says helps it detect email campaigns impersonating legitimate branding and login pages.

Even as computers learn to read, write, see and even draw, teaching a computer to read and detect phishing emails remains difficult. According to John Graham-Cumming, chief technology officer at Cloudflare, this is because of a limitation of machine learning.

“The difference here is you have an active adversary who is changing the landscape,” Graham-Cumming said. “That is what makes this much more complicated. You have an adversary who is actively changing what they do, and quite often testing against your system to see how they can break it.”

For reprint and licensing requests for this article, click here.
Phishing Cyber security Technology
MORE FROM AMERICAN BANKER