Beyond Email Gateways and Email Authentication: How to Stop Financial Phishing Attacks

Ingenious new attack patterns related to COVID-19 financially exploit individuals and businesses. A new SecurityWeek webinar explains how these scams work, psychologically and technologically; and just how they bypass email authentication and email gateway vulnerabilities to heighten your risk. 

To protect your organization, it’s important to understand how these threats appear, function, and evade popular defenses (you can find just a few examples below). To learn more about how to close the security gaps found in email gateways (SEGs), cloud email, as well as DMARC, view the full webinar on-demand here

COVID-19: Exploitation Takes Center Stage 

COVID-19 is having an unprecedented impact across healthcare, commerce, education, travel and home life. Financially-related phishing attacks have soared; information-gathering scams are increasing as well, leveraging well-known financial and tax-related brands like Wells Fargo, Bank of America, TurboTax and more. How can you evaluate your security tools and analyze their effectiveness in the face of new financial cybercrime threats? 

Threat Actor Techniques for Circumventing Defenses

Attackers use a number of techniques to bypass or neutralize traditional (or increasingly popular) defenses like Proofpoint, Cisco Email Security, and even Office 365 with ATP. Attackers also neatly skirt DMARC verifications to deliver phish and the malware they carry. 

Here are three examples of financial phishing attacks from the past few months, that could have been knockout punches if they hadn’t been blocked by Area 1: 

  • Attack #1: Exploiting the Pandemic Itself 
  • Attack #2: Exploiting Economic Stimulus and Relief Packages  
  • Attack #3: Exploiting Financial Transactions through BEC
Attack #1: Exploiting the Pandemic Itself 

We detect tens of thousands of attacks that manipulate fears triggered by COVID-19 every day. In fact, the dramatic rise in phishing attacks correlates to the spikes in COVID-19 cases.

A Linkless Vaccine Scam Evades SEGs

This particular COVID-19 effort uses vaccine trials as a lure, promising early access to a new vaccine by asking the victim to participate in a trial. The attacker is hoping to engage with the target and extract personal information for identity theft or other financial crime.  

The phish includes no malicious links. It features a photo of Moderna’s chief medical officer, and the factually accurate content is drawn from the actual Moderna website. The attacker also includes links to legitimate websites to reinforce credibility.  

Technically speaking, the scammers used an older—vulnerable—domain as their sender address and devised additional ways to evade defenses. I explain more here about how Area 1 neutralizes this kind of phish.

Attack #2: Exploiting Economic Stimulus and Relief Packages

Below is an example of how assistance intended to support those suffering financially from the pandemic becomes a massive undeserved bounty for criminals. 

Update Your Info to Receive Your Stimulus Check

This form spoofs Wells Fargo, tailored to show the target’s information. The specific name and email are included throughout the message. Clicking the “LOGIN” button will allow the browser to load a Wells Fargo credential harvester, which is hosted on a legitimate but compromised website. In the webinar I discuss how attackers also create their own sender domain and then properly configure SPF, DKIM, and DMARC for that domain in order to ensure deliverability of their messages. SEGs that depend predominantly on email authentication and sender reputation will completely miss these types of phishing attacks.

Attack #3: Exploiting Financial Transactions through BEC

The webinar features a deep dive about this Business Email Compromise (BEC) phishing scam below, which actually manages to exploit the pandemic by means of a fake “humanitarian” goal: payment for additional ventilators needed in response to the COVID-19 outbreak.

Six-Figure Wire Fraud Combines Multiple BEC Techniques

This example thread contains two emails — the first sent from the president of the targeted company to the CFO regarding those wiring instructions for ventilators to save lives. The second email appears to be from the CFO, purportedly reaching out to two employees responsible for invoicing and asking that they use the wiring instructions to send payment — that day — of $126,000. 

But the second email is not really from the CFO but rather the attacker who had registered a malicious domain that looked very similar to the targeted company’s actual email domain. Fortunately, Area 1 stopped this BEC attack, which had a sender domain with properly-configured SPF and DKIM and was originally missed by the targeted company’s SEG.  

How Area 1 Stops BEC Attacks in Their Tracks

Defending a company against this level of threat requires technology that goes above and beyond industry-standard detection practices. Area 1’s comprehensive solution for stopping BEC includes campaign-source analytics; our active sensors and massive web-crawling capabilities, along with SPARSE — our small pattern analytics engine — to enable an unprecedented level of preemptive investigation and detection. We identify malicious infrastructure under construction in the wild, before phishing campaigns are even launched. We also have the largest web crawling capability ever built, focused purely on attacks and campaign identifications. 

  • Message Sentiment Analysis helps us better understand what’s being expressed within a message (taking into account tone and language used)
  • Partner Social Graphs map out the complex web of communications built from messages flowing within the service, focusing on assessing sender reputation (particularly those in your supply chain)
  • Conversational Context Analysis exceeds single-message analysis to assess variations or anomalies within the entire message thread (e.g., first three messages ask for ACH payment to a particular bank; the fourth message is for payment to a different bank)
  • Categories of Interest include emails involving Finance, Accounting, Legal, Purchasing, and so forth. Based on verdicts made via our advanced detection capabilities, we can then escalate any BEC attacks to SOC teams directly, giving them extensive context about the attack 

To learn more, visit our COVID-19 Security Solutions overview or view the “Beyond Email Gateways and Email Authentication: How to Stop Financial Phishing Attacks” webinar here.

Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!


How to replace your email gateway with Cloudflare Area 1

Leaders and practitioners responsible for email security are faced with a few truths every day. It’s likely true that their email is cloud-delivered and comes with some built-in protection that does an OK job of stopping spam and commodity malware.

Introducing email link isolation – Email gateway replacement playbook

This week was a big one for us at Cloudflare, one of our four innovation weeks which we hold annually, showcasing new developments, product news and reference architectures.

Superhero strategies for the Phish Fight

Today is National Superhero Day, and we would like to dedicate this day to you—the SOC teams and the security experts on the frontline of the phish fight.