Brand spoofing is when scammers impersonate a person or a company to trick users into trusting the sender and give away sensitive information such as personal identifiable information (PII) and bank account details.
While brand spoofing nearly targets all business sectors, it is particularly relevant in financial institutions for many reasons. First, financial institutions handle money and funds which is the main target of the scammers. Second, due to COVID-19 precautions, many financial institutions communicate with their clients through phone calls and emails even more. Thus, differentiating between a scammer and a legitimate representative of the financial institution is becoming an increasing concern.
Let us look at some of the most common real-life situations where scammers use brand spoofing to victimize clients and employees of financial institutions.
Spoofing Situation #1: Fake email confirmation
In this scenario, the hacker will send a legitimate-looking email asking users to update their personal details or verify their accounts as part of a “new online system.” The users will be given a certain timeframe where they can verify their accounts. The catch is, once the target clicks on the link, they will be led to a fake website where they must input their login details.
In some cases, the fake email will alert them of a nonexistent purchase made using their bank account. This is to cause panic and to do as the email says to “revert” the transaction. But as you would have guessed, this email is aimed to steal the user’s bank account details.
Spoofing Situation #2: Fake SMS Alert
Another common spoofing scenario is where hackers use SMS alerts to trick users into visiting a link that leads to a fake website. The fake website can be very deceiving as hackers have gotten pretty good at impersonating the real site. Always remember that financial institutions will never ask users to verify their accounts or click a link. If you have even the slightest of doubt, check with the financial institution directly.
Spoofing Situation #3: Fake wire transfer request
In this scam, the fraudster will pretend to be a high-level executive of the financial institution, such as the CEO, CFO, or COO. This type of scam is targeted towards employees but can affect clients as well. In this scenario, the scammer hacks into the account of an employee requesting for a wire transfer via the company's bank institution.
In most cases, the email addresses are spoofed and misspelled, but may not be easy to spot at first glance. In other cases, the perpetrators compromise the email accounts of top executives and use the hacked email to send out fake transfer requests to the financial institution’s payment teams or senior management.
These fraudsters typically claim to be handling confidential matters that need urgent action and insist the funds to be sent immediately. The goal of this scam is to induce panic in the recipient so that standard protocols are ignored.
Spoofing Situation #4: Fake phone call scam
Hi, Mr. A! This is from Financial Institution B, alerting you of an unauthorized transaction. I will need your credit card details and your OTP so we can revert this transaction.
The above is a simplified example of a phone call that victims may receive from a fraudster claiming to be from a financial institution. Financial institutions are very careful with managing and handling accounts and they would never ask for any personal information through a phone call, even if there was really an unauthorized transaction made using your account.
Email authentication and identity verification play a big part in mitigating the risks of becoming a victim of brand spoofing and impersonation attacks. Online security solutions such as S/MIME not only help companies keep emails private and secure thanks to its end-to-end encryption, but also authenticates their identity to make it easier for clients to recognize spoofed emails from real ones.
In our next article, we will discuss how you can prove and authenticate your identity on e-mails and dive deeper into this topic. Stay tuned for Part 2!