Phishing campaign mimics secure banking messages

Barracuda has warned of a new phishing campaign, which is impersonating banks such as Bank of America and TD Commercial Banking. The phishing emails claim to be secure bank messages and ask users to either download documents or log in to a system and download documents using an authorization code.

The bogus emails include classic phishing techniques, such as using brand logos and legitimate-looking confidentiality statements in the footers in an attempt to trick unsuspecting users. However, users are not directly addressed and only the sender’s name is shown, not the full email address.

The attachments are said to include “malicious script that will rewrite the files in the users’ directory on Windows machines once the victim opens the document.” Once downloaded criminals will “have access and can update the script at a later date to something more malicious such as a form of ransomware or any threat that the attackers want to use at that time.”

In a blog post, Barracuda wrote:

Ultimately, criminals are registering domains that appear like a legitimate bank domain, and they go unnoticed because recipients either don’t know what to look out for or because most email clients only show the sender’s name and not the full domain. Criminals use this tactic to entice recipients into opening and acting on emails, but it can be easily spotted by trained users. Sadly, these threats are exploiting the trust between banks and their customers.

It continued:

Employees should be regularly trained and tested to increase their security awareness of various targeted attacks. Simulated attack training is by far the most effective form of training. Always check the domains on emails asking for things from you, including clicking and inputting information.

This follows a recent report that found that 90–95% of all successful cyber attacks around the world begin with a phishing email. Organizations in the financial industry are considered attractive targets for cyber criminals because of the volume of personal data that they hold. With phishing attacks increasing in both volume and sophistication, it is essential to provide employees with sufficient training.

How to protect your organization from phishing attacks

No matter how effective your spam filter is, a spoof email could bypass it, making your organization’s staff the last line of defense against fraud. It is therefore vital that your staff are aware of the risks of phishing emails. E-learning courses are an efficient, cost-effective method of training all your staff with minimal disruption.

To establish how vulnerable your organization is to the threat of phishing, consider our Simulated Phishing Attack. This service provides an independent assessment of employee susceptibility, and benchmarks your security awareness campaigns. It can help you to:

  • Satisfy compliance and regulatory requirements
  • Adapt future testing to areas and employees at greatest risk
  • Reduce the number of employee clicks on malicious emails

Our Phishing Staff Awareness Course gives your staff an introduction to understanding and spotting phishing scams, and helps reduce the chance that an employee will hand over confidential information or inadvertently infect your organization’s systems.

Find out more >>