By John Wilson, Field CTO, Agari
Financial services organisations remain a firm favourite for cyber criminals. Industry reports suggest that hackers target financial service firms 300% more often than any other sector – and this situation is unlikely to change. Many companies, especially those in the financial services sector, have now adopted digital strategies to speed up processes and improve security, but savvy cyber criminals are not far behind. Hackers are constantly evolving and seeking new ways to extrapolate valuable data. As the financial services industry comes under threat from new entrants, attention is turning toward digital channel strategies that enhance customer service and engagement. From traditional banks to P2P lenders, organisations are increasingly looking at how new forms of communication – email, mobile apps and text – can be used to support day-to-day processes and complete transactions.
However, as financial services institutions embrace new digital channels, they also open themselves up to new avenues of attack from cyber criminals. Take email as an example. Email has already become the primary tool of communication for financial services organisations, both within the business and externally with customers and third parties. Yet email has also been tirelessly exploited by sophisticated cyber criminals using it to initiate phishing and spear phishing attacks. With no security authentication built in, there is a fundamental flaw in the architecture of email that means anyone can send a message pretending to be from another person or brand.
Phishing financial services
Email phishing is a method used by fraudsters to access valuable personal details, such as usernames and passwords, which are then often used to commit fraud. The most common example is when consumers receive a fake email that looks like it came from a trusted source, like their bank, but takes them to a forged website that is designed to steal confidential or personal data, such as their bank login details.
According to ESET, across the globe, people receive 12 spam emails a day – which adds up to 4000 spam emails per person, per year. These messages tend to be sophisticated spoofs pretending to be from trusted organisations – Cyveillance found that when criminals pretend to be a trusted brand, 64% of the time they choose a bank or electronic payments service.
Phishers often use a wide variety of social engineering ploys to trick their victims into unguarded behaviour, such as requiring recipients to click on a link immediately by claiming they will lose bank account access if they do not. It’s becoming increasingly difficult for consumers to distinguish between fake and genuine correspondence. Some of the largest data breaches started with fraudulent email messages.
Last year, many banks were targeted by a sophisticated spam campaign that took advantage of email to trick consumers into installing the infamous banking Trojan, Dyreza, on their computers. In one example of Dyreza, attackers sent an email masquerading as a secure message from a bank. The attached Word document included the bank’s logo and address – including a “Secured by RSA” logo – and what looked like an encrypted block of text. The page contained instructions to click on the “Enable Content” button to view the message, but instead of decrypting the text, it executed embedded macro script which downloaded and installed Dyreza. It’s been reported that nearly 100,000 machines have since contracted the Dyreza malware worldwide.
Crumbling customer trust
For the bank that is spoofed, this poses a huge trust issue. Building trust with customers takes time, especially within the financial services sector. But in a matter of hours, cyber criminals can destroy trust and damage reputations. The stakes are high and the long-term costs are real.
Verizon found that on average, 23% of recipients open fraudulent emails, while 11% click on attachments. Of those who open the email, 50% click on the link within an hour after it was sent. With this type of rapid, wide spread acceptance, time is not on the side of the brand owners when it comes to detecting and reacting to phishing attacks. Cloudmark research found that 42% of consumers are less likely to engage with a business following an email attack whether they were actually affected by the spoofed emails or not.
In today’s digital world, unhappy customers can easily make their voices heard, posing a huge risk to both a business’s image and bottom line.
Spear Phishing and Business Email Compromise
Unfortunately, phishing doesn’t just put customer relationships and revenue at risk. Spear phishing – is a growing threat to internal employee communications in many financial services organisations. Spear phishers take aim at a selected individual often at a targeted organisation.
Last year, the FBI reported that losses from one type of spear phishing, Business Email Compromise (BEC) scams, alone totaled more than $1.2 billion. BEC scams involve attackers that impersonate an executive of the organisation and email an employee with specific instructions or requests.
The most common example being the so-called CEO wire fraud scam. The scam begins with an email “from” the CEO to the CFO, explaining that she needs an urgent wire transfer and that she’ll provide the details shortly. In these attacks, the From: address of the email has been spoofed, and a Reply-To: header has been added to the message so that replies will route back to the fraudster. The criminal sets the display portion of the Reply-To address to be the CEO’s name, and since most email software displays only this text, rather than the actual email address, the victim cannot detect the deception visually.
The email generally ends with a simple question, such as “When is the cut-off to get this completed today?” or “What information will you need to process my request?” The purpose of the question is to elicit a response from the CFO. The fraudster provides the receiving bank account details for the wire only after receiving a response to his initial email. This reduces the chances of his bank account details being exposed to the police should the victim catch on to the scam.
The perpetrators of these scams utilise distinctive tradecraft. This fingerprint can tie distinct attacks back to the same threat actor. After examining email data from just three clients, Agari observed the same fingerprint in attacks targeting all of them. This particular threat actor uses free webmail addresses as the Reply-To addresses. The subject lines are always short, such as “Hello Kelly”, “Today”, or “Urgent”. Finally, this criminal sends several messages, spaced over the course of 2 or 3 weeks. Given the prolific nature of this threat actor’s work, we suspect he uses automation to craft and send at least the initial attack messages.
With the FBI reporting a 270% increase in reported global losses from January to August 2015 due to these types of scams, financial firms need to be vigilant with their email security.
All organisations in the financial sector need to give serious consideration to how they educate and protect consumers. While it is important to educate customers about the possible sources of cyber crime and fraud, simply disclosing that the organisation will never ask for personal details over email is not sufficient. Financial institutions need to work hard to authenticate legitimate communications and ensure that fake emails simply never reach the customer’s inbox.
The focus should be on gaining visibility into their email ecosystem, including vendors sending emails on their behalf. Financial firms can then get real-time threat intelligence and alerts around email authentication, which gives them the ability to control their email activity using minimal resources. Once they clean up their email ecosystem, their emails will be properly authenticated and spoofed messages will no longer reach their intended victims.
Let’s dive into an example of how this works in practice. A group of cyber criminals recently mimicked the brand of a globally recognised bank by sending fraudulent emails, attempting to steal sensitive customer data. As a result, the bank’s support centre staff were inundated with calls from customers inquiring about their account being suspended. A recovery operation of this magnitude could end up costing the bank millions, permanently eroding customer trust.
Agari were brought in to prevent further phishing attacks by securing the bank’s email channel. First, we implemented an authentication capability for all email sent to customers, meaning only email originating from the bank’s domain would be authenticated using the DMARC standard. All other fraudulent, illegitimate email would be blocked from being delivered to customer inboxes by the ISPs, also using DMARC. Any third party that was sending email on behalf of the bank needed to follow the same authentication process. Finally, the bank established a programme to communicate the new policy to all marketing professionals involved with generating, designing and implementing its email campaigns.
In addition to removing the email channel as a vehicle for cyber attacks, the bank also gained much needed transparency into what was occurring within its email ecosystem. Its customers had been receiving approximately one billion emails per year, purporting to come from the bank’s email domains. Banks may have multiple domains across their service offering – for example, one for their consumer banking operation, one for their business banking branch, one for their payments service, and so on. Of those emails, 194 million were malicious, phishing emails that were very damaging to their brand. Over the next few months, they were able to successfully block 95% of fraudulent email targeting their customers.
This is just one example of the online threats that continue to dominate the financial sector so it is crucial that financial organisations secure their digital channels for both employees and customers. Not only in the interest of protecting important customer data, but also to maintain brand trust and protect the integrity of internal processes. Ensuring that email communications are secure will have a knock on effect in all aspects of the business, in terms of securing revenue, reinforcing customer confidence and decreasing customer service costs.