According to our Phishers’ Favorites 2019 Year in Review Report, Bank of America phishing jumped 34 percent in 2019. The surge in Bank of America phishing coincided with a surprising surge in phishing attacks impersonating community banks. Once viewed as less lucrative targets, community banks join the ranks of SMBs across the globe who are being targeted in cyberattacks. With fewer resources than enterprises, SMBs have the become the ultimate target.
Vade detected a total of 19,800 unique phishing URLs spoofing Bank of America in 2019, up from 14,771 in 2018. Security alerts are among the most common scams in financial services phishing attacks. Bank of America phishing emails are no exception. Any account alert is sure to raise concerns for users, but an alert from a financial institution is especially distressing and highly likely to result in clicks.
In the below example, a Bank of America phishing email warns the victim that a new device has been used in association with their bank account. In a nice touch, the user is politely told to ignore the warning if they had indeed registered a new device.
The phishing link is noticeably missing in the first half of the phishing email. This is another clever trick on the hacker’s part. It comes later in the email, after the user is sufficiently primed.
The link leads to a sophisticated Bank of America phishing page that the average user would not suspect. The giveaway that this is a phishing attack, although again an average user might not catch it, is that unlike forms on legitimate brand webpages, the forms on the phishing pages accept random text, including non-existent email addresses and passwords, and account and pin numbers that likely don’t match any on record with Bank of America. This is typical of most phishing pages because they’re designed only to capture information. They cannot recognize right and wrong answers.
Bank of America was one of ten financial services brands in the top 25, including several small firms, a shift from the previous year when hackers primarily targeted Wall Street banks.
Overall, the financial services industry was targeted more than any other, representing 37 percent of all unique phishing URLs detected by Vade. Cloud services follows closely behind, with Microsoft and PayPal being the most targeted in the industry.
Among the most spoofed banks, Chase dropped more than 14 percent in the rankings, but CIBC, previously in the 21st spot, jumped to the 7th position, with a 399.5 increase in phishing URLs over 2018. Credit Agricole saw a 49.4 increase, while Wells Fargo phishing URLs decreased significantly by more than 74 percent.
Like CIBC, ATB, an Alberta institution, saw a 317.8 percent increase in phishing URLs. Desjardins jumped in the rankings after seeing several quarters of limited growth in phishing URLs. Desjardins jumped up 47 spots on the list, coming in at #15 in the top 20 with a 1,680.4 percent increase in phishing URLs over 2018.
The increase in Desjardins phishing came after a massive data leak in 2019 that involved a Desjardins employee leaking more than 2.9 million records. High profile data leaks are often the catalyst for widespread phishing attacks, a form of seasonal or event-based email attack that capitalizes on high-profile events.
The trend toward attacks on community banks tracks with the global surge in cyberattacks against SMBs. 2019 saw a rash of attacks targeting businesses outside the usual enterprise attack surface, including attacks on government agencies, either directly or through attacks on MSPs. The success of those attacks make it likely that the trend will continue through 2020, an especially troubling scenario considering the state of SMBs during the global COVID-19 pandemic.
Phishers’ Favorites 2019 Year in Review explores the top 20 impersonated brands in phishing attacks and the phishing trends and techniques that defined 2019. Read the report for more data on why hackers choose the top spoofed brands and how to use the data to educate clients and prospects about the dangers of phishing and importance of email security.