Beyond Email Gateways and Email Authentication: How to Stop Financial Phishing Attacks

Ingenious new attack patterns related to COVID-19 financially exploit individuals and businesses. A new SecurityWeek webinar explains how these scams work, psychologically and technologically; and just how they bypass email authentication and email gateway vulnerabilities to heighten your risk. 

To protect your organization, it’s important to understand how these threats appear, function, and evade popular defenses (you can find just a few examples below). To learn more about how to close the security gaps found in email gateways (SEGs), cloud email, as well as DMARC, view the full webinar on-demand here

COVID-19: Exploitation Takes Center Stage 

COVID-19 is having an unprecedented impact across healthcare, commerce, education, travel and home life. Financially-related phishing attacks have soared; information-gathering scams are increasing as well, leveraging well-known financial and tax-related brands like Wells Fargo, Bank of America, TurboTax and more. How can you evaluate your security tools and analyze their effectiveness in the face of new financial cybercrime threats? 

Threat Actor Techniques for Circumventing Defenses

Attackers use a number of techniques to bypass or neutralize traditional (or increasingly popular) defenses like Proofpoint, Cisco Email Security, and even Office 365 with ATP. Attackers also neatly skirt DMARC verifications to deliver phish and the malware they carry. 

Here are three examples of financial phishing attacks from the past few months, that could have been knockout punches if they hadn’t been blocked by Area 1: 

  • Attack #1: Exploiting the Pandemic Itself 
  • Attack #2: Exploiting Economic Stimulus and Relief Packages  
  • Attack #3: Exploiting Financial Transactions through BEC
Attack #1: Exploiting the Pandemic Itself 

We detect tens of thousands of attacks that manipulate fears triggered by COVID-19 every day. In fact, the dramatic rise in phishing attacks correlates to the spikes in COVID-19 cases.

A Linkless Vaccine Scam Evades SEGs

This particular COVID-19 effort uses vaccine trials as a lure, promising early access to a new vaccine by asking the victim to participate in a trial. The attacker is hoping to engage with the target and extract personal information for identity theft or other financial crime.  

The phish includes no malicious links. It features a photo of Moderna’s chief medical officer, and the factually accurate content is drawn from the actual Moderna website. The attacker also includes links to legitimate websites to reinforce credibility.  

Technically speaking, the scammers used an older—vulnerable—domain as their sender address and devised additional ways to evade defenses. I explain more here about how Area 1 neutralizes this kind of phish.

Attack #2: Exploiting Economic Stimulus and Relief Packages

Below is an example of how assistance intended to support those suffering financially from the pandemic becomes a massive undeserved bounty for criminals. 

Update Your Info to Receive Your Stimulus Check

This form spoofs Wells Fargo, tailored to show the target’s information. The specific name and email are included throughout the message. Clicking the “LOGIN” button will allow the browser to load a Wells Fargo credential harvester, which is hosted on a legitimate but compromised website. In the webinar I discuss how attackers also create their own sender domain and then properly configure SPF, DKIM, and DMARC for that domain in order to ensure deliverability of their messages. SEGs that depend predominantly on email authentication and sender reputation will completely miss these types of phishing attacks.

Attack #3: Exploiting Financial Transactions through BEC

The webinar features a deep dive about this Business Email Compromise (BEC) phishing scam below, which actually manages to exploit the pandemic by means of a fake “humanitarian” goal: payment for additional ventilators needed in response to the COVID-19 outbreak.

Six-Figure Wire Fraud Combines Multiple BEC Techniques

This example thread contains two emails — the first sent from the president of the targeted company to the CFO regarding those wiring instructions for ventilators to save lives. The second email appears to be from the CFO, purportedly reaching out to two employees responsible for invoicing and asking that they use the wiring instructions to send payment — that day — of $126,000. 

But the second email is not really from the CFO but rather the attacker who had registered a malicious domain that looked very similar to the targeted company’s actual email domain. Fortunately, Area 1 stopped this BEC attack, which had a sender domain with properly-configured SPF and DKIM and was originally missed by the targeted company’s SEG.  

How Area 1 Stops BEC Attacks in Their Tracks

Defending a company against this level of threat requires technology that goes above and beyond industry-standard detection practices. Area 1’s comprehensive solution for stopping BEC includes campaign-source analytics; our active sensors and massive web-crawling capabilities, along with SPARSE — our small pattern analytics engine — to enable an unprecedented level of preemptive investigation and detection. We identify malicious infrastructure under construction in the wild, before phishing campaigns are even launched. We also have the largest web crawling capability ever built, focused purely on attacks and campaign identifications. 

  • Message Sentiment Analysis helps us better understand what’s being expressed within a message (taking into account tone and language used)
  • Partner Social Graphs map out the complex web of communications built from messages flowing within the service, focusing on assessing sender reputation (particularly those in your supply chain)
  • Conversational Context Analysis exceeds single-message analysis to assess variations or anomalies within the entire message thread (e.g., first three messages ask for ACH payment to a particular bank; the fourth message is for payment to a different bank)
  • Categories of Interest include emails involving Finance, Accounting, Legal, Purchasing, and so forth. Based on verdicts made via our advanced detection capabilities, we can then escalate any BEC attacks to SOC teams directly, giving them extensive context about the attack 

To learn more, visit our COVID-19 Security Solutions overview or view the “Beyond Email Gateways and Email Authentication: How to Stop Financial Phishing Attacks” webinar here.

Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!


Understanding the Four Business Email Compromise Attack Types

Business Email Compromise (BEC), also sometimes referred to as email account compromise (EAC) or vendor email compromise (VEC), is a type of phishing attack that takes advantage of an existing relationship between a victim and organization.

Area 1 Security Announces the Most Spoofed Brand of 2021

Dear America’s sports-loving, company-securing fans: Before you find yourself glued this weekend to (what some call) THE biggest game in college basketball history, we are here to crown the 2022 March Hackness winner!

2022 March Hackness: The Return of the Phishing Bracket

Area 1 Security’s Sixth Annual March Hackness: The Perfect Phishing Bracket is here! Learn who made the list of the top brands that attackers use in phishing lures.