Email Security Blog

Email-Based Bank Impersonation Scams Hit Where It Hurts Most

John Wilson March 21, 2019 Brand Protection
Bank Security

We all know that phishing attacks came fast and furious. Timed and tailored for maximum effect, these malicious email messages exploit the cruelest of social engineering tactics, preying on customer anxieties, especially in the aftermath of major crises.

This past May, UK banking giant TSB experienced one of these phishing-related emergencies. First came breaking news of a massive system meltdown when the migration to a new banking platform went spectacularly wrong. With accounts knocked offline, and with customers growing frustrated, email-based “security alerts” purporting to come from the bank started hitting email inboxes.

The messages were crafted to resemble authentic communications and informed recipients that TSB Bank accounts had been suspended due to “recent technical and security issues.” They then asked account holders to verify their accounts by clicking on the link embedded within the body of the email.

Of course, the phishing site on the other end of that click harvested the victims’ banking login credentials, Before long, as many as 1,300 customers reported their bank accounts had been robbed of everything they owned. “They’ve taken all my money,” Susie Goode, a 40-year-old mother of four told the Sun-Times. “I’m not sleeping properly because I’m so stressed. I’ve got a family to look after.”

Unfortunately for financial institutions worldwide, this is not an isolated incident.

Banking on Chaos

Today, banks and other financial institutions are hit by an estimated 12,000 unique monthly bank phishing email campaigns that exploit their good names to defraud consumers and businesses. In fact, when cybercriminals impersonate a brand, they choose banks or electronic payments providers 60% of the time. Original Agari research recently found that Bank of America and Wells Fargo were two of the top ten impersonated brands in the last quarter of 2018. The previous quarter, JPMorgan Chase and Bank of America were in the top five.

Typically arriving in the form of fraud alerts, password resets, and account-locked notices, these attacks are expertly designed to incite alarm, stirring recipients to take immediate action. And they’re just one in an arsenal of approaches fraudsters use to trick consumers out of $1.4 billion through brand impersonation and other Internet scams each year.

It’s little wonder that email-based brand impersonation schemes are rising 400% per year. But unfortunately for banks, victims aren’t the only ones to pay a steep price.

Innocence is Not Enough

The financial damage to consumers and the publicity generated by attacks nearly always negatively impacts the impersonated banks. Even when they are not liable for losses, the fallout can be brutal.

In the case of TSB Bank, for instance, call centers were overwhelmed with more than 93,000 complaints from customers. Most of that had to do with the inability to access accounts due to the outage, but as many as 10,600 cases of potential fraud were identified.

This situation offers insight into consumer and business reaction to bank imposters who exploit real-time news events to exploit human psychology. Few things are more panic-inducing than fears about one’s personal finances. And innocent or not, trust in impersonated banks can be damaged, even though the bank had no part in the scam.

To make matters worse, cybercriminal activity like this causes continued damage, even after the headlines have died down. Legitimate email campaigns suffer, as recipients fail to open their email, fearing additional fraudulent activities. When you consider the ROI from email is $44 for every $1 spent—by far the most of any digital medium—you begin to understand just what a crushing blow impersonation fraud can inflict upon revenue-generating email programs.

As the well-funded, highly-professional cybercriminal operations behind these scams grow more effective, financial institutions must turn to a solution that will stop these social engineering-based impersonation ploys from reaching consumer inboxes.

Getting the House in Order

Over the last few years, Domain-based Message Authentication, Reporting and Conformance (DMARC) has emerged as an effective way for banks and other brands to prevent impersonation scams. At its most essential, DMARC is an open standard for ensuring only authorized senders can use your organization’s domain name in emails—including the lookalike “defensive” domains you proactively register.

When implemented properly, phishing emails sent by fraudsters seeking to impersonate brands have been shown to drop near zero. Yet, according to Q4 2018 research from our team, only 13% of all financial institutions have deployed DMARC to enforce this kind of protection. Nearly 87% have left themselves wide open to attack, including institutions that have deployed DMARC but have not yet set it for enforcement.

Even fewer have adopted the modern, AI-based solutions that leverage real-time intelligence from trillions of emails worldwide to detect, defend against, and deter against phishing emails across the domains they own as well as the ones they don’t.

Kicking Imposters to the Curb

According to a study from Forrester Research, organizations using Agari Brand Protection, for instance, not only saw impersonation attempts drop to near zero, but they also experienced an average 92% drop in calls from confused or frustrated customers. By avoiding the kind of negative headlines and brand erosion that stems from these cons, organizations have also seen email conversion rates for their own as legitimate email programs climb an average of 10%, leading to an average $4 million from increased customer engagement.

Factor in the costs associated with finding and shutting down phishing sites, call center staffing, crisis management, and legal services, and Forrester reports organizations have seen an average 326% ROI from the Agari solution. Considering the rising threat from bank impersonation through socially engineered phishing scams, those kinds of returns may make brand protection a very wise investment for many financial institutions.

To learn more about phishing-based brand impersonation and best practices for defeating it, download a free copy of “The Total Economic Impact of Agari Brand Protection.”

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

July 24, 2019 Armen Najarian

BIMI Moves Forward as Google Commits to Pilot Program

BIMI is going big time like never before—and brands won't want to get left behind.…

Agari Blog Image

April 24, 2019 Armen Najarian

Brand Impersonation Attacks on Law Firms Harm Clients and Cost Millions

Imagine this scenario: you call your high-profile client on your way into the office to…

Agari Blog Image

April 9, 2019 Armen Najarian

BIMI Adoption Grows as Marketers Realize Its Value

With competition soaring and email-based brand impersonation scams skyrocketing 11x since 2014, your most important…

Implementing DMARC

March 26, 2019 Rob O'Connor

Protecting our Clients from Email Spoofing: Our DMARC Journey

This post originally appeared on the Armadillo Blog and has been lightly edited for clarity.…

Email Security Healthcare

January 24, 2019 Armen Najarian

Healthcare Brand Impersonation Scams Targeting Consumers Can Cost You Millions

Memo to hospitals and healthcare providers: A growing number of phishing scams are targeting consumers—including…

mobile image