PaymentsJournal
No Result
View All Result
SIGN UP
  • Commercial
  • Credit
  • Debit
  • Digital Assets & Crypto
  • Digital Banking
  • Emerging Payments
  • Fraud & Security
  • Merchant
  • Prepaid
PaymentsJournal
  • Commercial
  • Credit
  • Debit
  • Digital Assets & Crypto
  • Digital Banking
  • Emerging Payments
  • Fraud & Security
  • Merchant
  • Prepaid
No Result
View All Result
PaymentsJournal
No Result
View All Result

Email Phishing in 2020: Fake Login Pages and Credential Theft a Constant Threat for the Financial Industry

By Ian Baxter
October 9, 2020
in Fraud & Security, Fraud Risk and Analytics, Industry Opinions, Security
0
0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn
Email Phishing in 2020: Fake Login Pages and Credential Theft a Constant Threat for the Financial Industry

Email Phishing in 2020: Fake Login Pages and Credential Theft a Constant Threat for the Financial Industry

In a rare move, the US Financial Industry Regulatory Authority (FINRA) issued a cybersecurity alert earlier this year warning member organizations of “a widespread, ongoing phishing campaign” targeting the financial industry. In the alert, FINRA noted the phishing emails were sent using the domain of “@broker-finra.org,” and made to look like they were sent by Bill Wollman and Josh Drobnyk, two of the organization’s vice presidents. FINRA said the phishing emails included an attached PDF file that contained a link redirecting users to a website prompting members to enter their login credentials.

That last piece is key here – the website (aka fake login page) prompting members to enter their credentials is indicative of a larger trend used by cyberattackers to break through email security defenses.

These pages almost mirror legitimate websites with logos, formatting and overall templates all ranging from difficult to impossible to distinguish from the real thing. That also translates into them being highly effective in their end goal: credential theft.  

But just how widespread of a problem are fake login pages? And how at risk is the financial industry as a whole?

Fake Login Pages Bypass Email Security Tools

While fake login pages aren’t new, they are increasingly successful for two main reasons. First, messages containing fake logins can now regularly bypass technical controls, such as secure email gateways (SEGs) and SPAM filters, without much time, money or resources invested by the adversary.

The second reason can be explained by the psychological phenomenon known as inattentional blindness, which occurs when an individual fails to perceive an unexpected change in plain sight.

To further underscore the severity of today’s hacking and phishing challenges, researchers at IRONSCALES spent the first six months of 2020 identifying and analyzing fake login pages. Here’s a summary of what was found:

  • More than 50,000 fake login pages were identified
  • More than 200 of the world’s most prominent brands were spoofed with fake login pages
  • The most common recipients of fake login page emails work in the financial services, with PayPal among the top five brands spoofed.

The top spoofed brands include PayPal, Microsoft and eBay. And although PayPal sits atop the list, the greatest risk may derive from the 9,500 Microsoft spoofs, as malicious Office 365, SharePoint and One Drive login pages put not just people but entire businesses a risk. Further, the FINRA warning cited above was a direct attack aimed at getting users to enter their Microsoft Office or SharePoint password.

In addition to the brands above, several financial services companies also made the list of top fake login pages, including Bank of America, Coinbase, JP Morgan Chase, Stripe, Squarespace, Visa and Wells Fargo, among others.

The Best Way for Financial Services Companies to Stop Fake Login URLs from Reaching Inboxes

Traditional email security tools focus on what is in the email, whether a malicious link or attachment, and they generally do a decent job at preventing those types of messages from getting through to intended victims. Because these defenses are generally stalwart, hackers have had to adapt and change their tactics, using social engineering attacks, which often contain no malicious content that these security systems are built to detect.

Instead, these emails are designed to look like they come from someone or something (like a brand) that you know. Other common variations of these attacks impersonate someone else the recipient knows – a colleague, boss, friend or family member. Again, this is found in the FINRA warning earlier this year which spoofed two well-known figures in the organization.

To protect employees, a new technology is emerging to prevent these attacks – Natural Language Processing (NLP). It works like this: an email is sent and gets through the first stage of security because it has no link and no malicious content. But NLP will analyze the actual language of the email to look for suspicious patterns like the aforementioned availability checks or financial requests. Companies that rely on traditional indications of compromise (IOC), such as malicious links or attachments, will not identify these attacks in real-time.

Fake login pages spread by social engineering tactics are a big risk for financial services companies. A recent report from IBM and the Ponemon Institute found that the average cost of a data breach in 2020 is $3.86 million, not to mention the reputational damage and lost customers as a result. While new technology is beginning to help defenders mitigate threats, there is a long way to go before the most commonly deployed email security and anti-phishing tools completely remediate the threat of fake login pages.

0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn
Tags: ebayIRONSCALESMicrosoftPayPalphishing attacks

    Get the Latest News and Insights Delivered Daily

    Subscribe to the PaymentsJournal Newsletter for exclusive insight and data from Javelin Strategy & Research analysts and industry professionals.

    Must Reads

    Proof That Fintechs Are Disrupting Banks:

    In Today’s Fintech Market, Value Is Everything

    August 30, 2024
    DFAST test

    Dodd-Frank Stress Tests: Good News for Now, Watch for a Rugged 2025

    August 29, 2024
    Real-Time Payments Adoption in the U.S. Requires a Pragmatic Approach, ISO 20022 messaging challenges

    ISO 20022 Brings the Challenge of Standardization to Swift Participants

    August 28, 2024
    open banking small banks credit unions

    Open Banking Can Be an Equalizer for Small Banks and Credit Unions

    August 27, 2024
    Payments 3.0

    Achieving Seamless and Holistic Transactions with Payments 3.0

    August 26, 2024
    embedded finance, ecommerce, consumers reduce spending

    Quality Over Quantity: Key Priorities in the Payment Experience

    August 23, 2024
    bots fraud

    Next-Generation Bots Pose Formidable Fraud Challenge

    August 22, 2024
    crypto custodians

    Crypto Custodians Could Bring a Revolution in Holding Assets

    August 21, 2024

    Linkedin-in X-twitter
    • Commercial
    • Credit
    • Digital Assets & Crypto
    • Debit
    • Digital Banking
    Menu
    • Commercial
    • Credit
    • Digital Assets & Crypto
    • Debit
    • Digital Banking
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    Menu
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    • About Us
    • Advertise With Us
    • Sign Up for Our Newsletter
    Menu
    • About Us
    • Advertise With Us
    • Sign Up for Our Newsletter

    ©2024 PaymentsJournal.com |  Terms of Use | Privacy Policy

    • Commercial Payments
    • Credit
    • Debit
    • Digital Assets & Crypto
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    No Result
    View All Result