Without a doubt, spoofing of financial institutions’ digital properties has become an increasingly common practice and is probably the most exploited cyberattack vector this industry faces in 2024. There are two primary reasons for this: 1. the rise of sophisticated attacks leveraging artificial intelligence and, 2. financial institutions’ growing on digital assets to conduct business. Many actions and transactions a customer might perform on a financial institution’s digital assets have been distilled down to single click operations that often don’t require one-time passwords (OTPs) to execute. This includes payments, billings, invoicing and auto-debits.
While created to streamline customer experience, these new ‘digitized’ and ‘smart banking’ features have the potential to lead to unnoticed loopholes, left in vulnerable states for attackers to exploit. Furthermore, emerging functions designed to facilitate easier ways of banking using artificial intelligence have exposed a plethora of opportunities to spoof banking customers.
The global banking industry has seen a shift in terms of infrastructure and its security implementation. The smallest exposed vulnerability is being exploited to diminish a financial institution’s reputation or worse, access its data for extortion. Another element is a tailored spoofing attack targeting everyone associated with a bank – customers, employees, and executives. Setting up pages that appear legitimate with relevant keywords in the domain is a well-worn practice used to harvest sensitive financial and personal information. Although this practice has been going on for years, the pace of proliferation has accelerated with technological advancement.
According to a report by APWG, while attacks on financial institutions (like banks) continued to decline from their peak in Q3 2023, they still represented a significant portion of the threat landscape at 9.8% in Q1 2024. Online payment services also remained a prime target, with 7.4% of all phishing attacks directed at companies like PayPal, Venmo, and Stripe.
Spoofing generally starts with an email or message landing in a victim’s inbox. Depending on the theme, spoofing generally manipulates the victim by creating a sense of urgency, luring them to click on a link or attachment sent with the message. This redirects the victim to a spoofed domain, where the user is prompted to enter some personally identifiable information (PII), such as name, email, address, SSN, contact, and birth details.
Some common themes related to spoofing are based on surprise rewards, phony suspicious activity alerts reported in an account, sudden deactivation notifications, unknown purchase invoices, special offers and coupon-based schemes.
Spoofing attacks are often chained together to maximize their impact and to exploit all the arenas associated with phishing attacks. While most of them end with the common goal of collecting personal and financial information, these campaigns begin in different ways.
When it comes to the financial sector, adversary groups take the step ahead to attempt to bypass security measures such as OTPs or by unlawfully acquiring customer CVV and CVC details.
For example, customers may receive an email that redirects them to a website prompt, asking them to enter their bank account details to show eligibility for a ‘lucky draw reward’. Another example is when the customer gets an email reminding them of a pending payment that collects the user’s CVV details and then returns them to the original website to avoid any suspicion.
The data harvested by cybercriminals using a spoofing attack is then further sold on the dark web via auction. If customer PII is put on sale, it can then be used by cybercriminals to conduct sophisticated social engineering attacks such as vishing or targeted email fraud, where the chances of the attacker arousing suspicion are lowered significantly.
Financial data such as CVV/CVC is then used to do unauthorized transactions on the dark web (a technique known as “carding”), and the victim accounts might show anomalies. By harvesting customer and/or employee banking account credentials, the threat actors try to drain funds by authenticating multiple purchases, or transferring them to other accounts. In the worst case scenario, a highly privileged account can be used to implant malware or get into in-depth phishing attacks.
There are several ways cybercriminals execute spoofing attacks. However, in all of them, deception and creating a sense of urgency to discourage scrutiny are always present.
One method is “typosquatting”, in which cybercriminals register multiple domains using the same keyword in alternate permutations and combinations to trick the user. An example of typosquatting is keywords having the same pronunciation but different spellings. Inexpensive, shady registrars and top level domains (TLDs) are used to set up identical looking websites.
In addition to URL spoofing, attackers resort to internationalized domain name (IDN) homographs to deceive users. By substituting similar-looking characters, such as lower case “L” (“l”) for “I” or “0” for “O,” they register deceptive yet similar looking domains. This is a well known attack vector used in spoofing in which the appearance of the malicious domains mimic authentic websites by using stolen or publicly available design elements.
Once a spoofed website is set up, mail records come next. When a phishing email is sent, the victim can be redirected to this webpage to execute further actions. This also helps in diverting the attacks to call spoofing (also known as “vishing” attacks), giving threat actors the leverage to entrap their victim from all sides.
Generative AI solutions such as ChatGPT are built to avoid writing malicious code, but recent threat landscape trends in the financial industry show heavy reliance on certain “evil twins” of the “good” generative AI options. For example, freely available solutions of WormGPT and HackerGPT are capable of generating phishing kits in a matter of seconds for spoofing various banks and institutions.
Besides texts, spoofing attacks through the generation of deepfakes can also pose a significant risk to the financial industry, including fraud, identity theft, market manipulation, and reputation damage. “Know Your Customer” (KYC) are familiar compliance guidelines all financial institutions are required to follow, however cybercriminals can bypass these efforts through fabricated videos that add a dilemma to the verification process.
To mitigate spoofing threats, financial institutions must invest in advanced phish detection technologies and educate their employees about the dangers of deep fakes. By strengthening KYC procedures and staying vigilant against deepfake threats, financial institutions can safeguard their operations and maintain the trust of their customers and clients. Organizations utilizing proactive solutions to ensure preemptive adversarial disruption can block and deter the wave of finance sector spoofing attacks before they have the opportunity to operate .
From an organizational standpoint, spoofing attacks can lead to reputational damage for financial institutions and loss of customer trust. If the company’s data is frequently at risk due to multiple occurrences of cyber attacks, such companies attract unwanted and negatively impacting media attention – which can also result in regulatory fines and hefty compensations.
It is crucial to stay informed about the latest spoofing attack trends and adopt a preemptive approach to cybersecurity. By investing in advanced attack prediction technologies, educating employees, and practicing customer awareness, financial institutions can build a more resilient defense against these persistent threats.