Why does phishing matter in financial services? If nothing else, it’s a hassle. When customers click on fraudulent links that purport to be from your company, they could easily get confused or upset.
This leads to a call to your customer support line, tying up resources in the process. If customers become fraud victims through a website that matches your branding, that’s not good for your reputation. You might even face legal liability or at least the threat of it. There could also be costs associated with remediating credit problems and buying identity protection insurance for phishing victims and so forth.
Our recent
Phishing is a type of cyberattack that tricks email recipients into clicking on harmful URLs. The URLs might plant malware on the user’s device or deceive them into sharing confidential information through a fraudulent form. In financial services, a phishing attack might trick a victim into disclosing personal identification information, which the phisher then uses to steal the victim’s identity. Or in the case of PayPal, harvesting credentials offers an immediate financial payback through the funds associated with these accounts.
To work, a phishing email must achieve two things. First, the email itself has to look as if it came from the financial services firm. Then, the URL in the phishing email must go to a website that looks exactly like the brand it’s imitating. Unfortunately, this is easier than one might imagine. Using a technique called “spoofing,” experienced hackers can create nearly identical copies of banking websites and email addresses.
You can check out some examples of phisher’s spoofing handiwork at
There are many variants on this technique, like using .co instead of .com or adding a letter that escapes the notice of many busy email recipients. If you were in a big hurry, would you notice that an email from someone at paypal.co wasn’t really from the actual company? A lot of people miss details like that, especially when responding to email on mobile devices that don’t show the sender’s email address in the interface.
Phishing that affects social networks may also potentially have an impact on the security posture of financial firms. Facebook, for example, was among the top 10 most spoofed URLs on our third-quarter list. It had dropped from No. 3 to No. 6 since the second quarter, but it’s still a popular target, for good reason. Phishers who spoof social media sites can learn important personal details about their victims. With that data, they can then come back and conduct a “spear phishing” attack that singles out the victim by name. A spear phisher might write a personal-sounding email, pretending to be a friend or relative who is in need of funds, for instance.
This quarter, we added something new to Phishers’ Favorites, analyzing the day of week for each phishing URL. We found that overall, Tuesday and Thursday are the two most common days for phishing attacks, followed by Wednesday, Monday and Friday. From there, activity trails off significantly on Saturday and Sunday.
The one major exception to this pattern is Bank of America, with Saturday and Sunday being two most popular days for phishing attacks. One possible explanation is that hackers are trying to take advantage of bank branches and customer service lines being closed in order to make it harder for customers to verify that emails and pages are malicious.
While this certainly sounds plausible, the theory does not prove universally applicable across the banks on our list. For instance, Tuesday and Thursday are the biggest days for Wells Fargo phishing, while Thursday and Friday are the top days for Chase phishing.
Phishing is a serious problem in the financial services world. Fortunately, there are predictive email security solutions capable of detecting these advanced threats. Moreover, training and increased awareness among financial services employees and customers can also help mitigate the risk of phishing attacks.
