Impostor Email Attacks Targeting Financial Services Firms

Quarterly impostor email attacks aimed at financial services organizations increased more than 60% year-over-year but cybercriminals continue to primarily target people, and not infrastructure, with advanced and highly targeted assaults.

Those were among the findings Sunnyvale, Calif.-based cybersecurity and compliance company Proofpoint revealed in its “Email Fraud in Financial Services Report,” for the fourth quarter of 2018.

Proofpoint said it analyzes more than 5 billion email messages, hundreds of millions of social media posts and more than 250 million malware samples to protect organizations around the world from advanced threats daily. For this study, they analyzed a subset of more than 160 billion emails sent across 150 countries in 2017 and 2018. They focused on email fraud attacks targeting more than 100 financial services organizations.

Proofpoint explained email fraud is a broad category that includes business email compromise, a form of wire fraud, and other threats in which the attacker uses some form of identity deception to manipulate an individual. These socially engineered attacks target specific people within financial services organizations who can execute requests on the attacker’s behalf.

“While email fraud is not unique to financial services organizations, this industry’s employees hold the keys to one of the most potentially lucrative paydays for cybercriminals. One wrong click can expose an entire brand and its customers to substantial risk and even bigger losses,” Ryan Kalember, executive vice president of Cybersecurity Strategy for Proofpoint, said. “It is critical that organizations prioritize the implementation of solutions that defend against these attack methods, specifically against domain spoofing, display name spoofing, and look-alike domains, and train employees to identify and report socially-engineered attacks across email, social media, and the web.”

Proofpoint’s key findings for the fourth quarter of 2018 also included within targeted financial services firms, 56% saw more than five employees targeted by BEC attacks. The study also found the largest volume of email fraud attacks targeting financial services companies arrived on weekdays between 7 a.m. and 2 p.m. in the target’s time zone, with Mondays the favored day by fraudsters. “Impostor attacks are socially engineered to be believable. A business partner, for example, is less likely to make a payment request after work hours or during a weekend,” the report confirmed.

Email fraudsters use a variety of techniques, often in tandem, to pose as someone the victim trusts or does business with. Proofpoint revealed the most common:

• Display-Name Spoofing — Webmail services such as Gmail are the preferred vehicle for email fraud because they are free and easy to use. In email fraud, the attacker simply changes the display name. Over the course of 2017 and 2018, nearly 39.5% of email fraud across financial services used Gmail.com, Comcast.net, AOL.com, Inbox.lv, or RR.com.
• Domain Spoofing — Another common tactic is sending fraudulent email from the organization’s own trusted domain. Criminals spoof domains owned by financial services companies to target its employees, customers and business partners. Thirty-nine percent of emails sent from domains owned by financial services companies externally appeared suspicious or categorized as unverified. That figure included 68% sent to employees appeared suspicious, 36% sent to customers, and 19% sent to business partners. Proofpoint said companies can prevent domain spoofing attacks by fully implementing domain-based message authentication, reporting and conformance measures.
• Lookalike Domains — Attackers often register lookalike domains to trick people into believing an email comes from someone they trust. They create new, deceptively similar domains a variety of ways. They might swap characters or insert an additional character. In 2017 and 2018, 24% of targeted financial services organizations attacks originated from lookalike domains.

Proofpoint recommended effective security against these types of socially engineered attacks requires a people-centric approach, including robust email defenses and inbound threat blocking capabilities, combined with cybersecurity awareness programs that train users to spot and report malicious emails. “Businesses must assume that someone within their organization will always click and craft a security strategy that caters to their most attacked and vulnerable individuals and also protects against both internal and external impersonation attacks.”