Financial services organizations are increasingly targeted by attackers using impostor emails attempting to commit fraud, according to the 2019 Email Fraud in Financial Services report published by Proofpoint.
The study analyzed more than 160 billion emails sent from 2017 to 2018, according to research. Research revealed that these business email compromise (BEC) attacks have grown by an alarming 60% from the same time in 2017. All of the attacks reportedly shared a high degree of social engineering.
The malicious actors employed domain spoofing to send the nefarious messages. The messages, which appeared to come from trusted domain sources, most often requested payments using fake identities. In addition, most attackers dispersed the emails on Mondays from 7 a.m. to 2 p.m. so that they appeared more legitimate to unsuspecting employees.
Of the financial services firms that were targeted, 56% reported that more than five employees were targeted by BEC attacks in the final quarter of 2018. “In other words, the identities of at least five of the companies’ employees were weaponized to target other employees within that organization. About 37% of companies were targeted using two to five spoofed employee identities,” the report said.
The subject lines used in BEC attacks on financial services organizations frequently have a payment-related subject line, but attackers also use shipment-related subject categories in these impostor attacks, the report said.
“While email fraud is not unique to financial services organizations, this industry’s employees hold the keys to one of the most potentially lucrative paydays for cyber-criminals. One wrong click can expose an entire brand and its customers to substantial risk and even bigger losses,” said Ryan Kalember, executive vice president of cybersecurity strategy for Proofpoint, in an email.
“It is critical that organizations prioritize the implementation of solutions that defend against these attack methods, specifically against domain spoofing, display-name spoofing and lookalike domains and [that they] train employees to identify and report socially engineered attacks across email, social media and the web.”