It has been reported that Canadian banks are being impersonated in a phishing campaign targeting both individuals and businesses via a large-scale infrastructure shared with previous attacks going back to 2017 and pointing to the same attackers. The infrastructure behind these Canadian focused attacks includes hundreds of phishing websites designed to mimic major Canadian banks’ websites as part of an effort to steal user credentials from the financial institutions’ clients. To get the targets on their phishing landing pages, the attackers use custom-crafted and legitimate-looking email messages with malicious PDF attachments.
Phishing schemes have become extremely sophisticated, targeted and deployed with all the power of social media aimed at stripping end users of their authentication credentials and other sensitive information. With phishing emails, from the moment a user receives a malicious email in their inbox, the clock is ticking – most users will click on links and provide their information, or open a malware infected document in that first hour. Once they do, their credentials are immediately harvested for hackers to leverage or sell on the Dark Web.
Educating end users is not a reliable solution. The continued success of these attacks highlights a major flaw in identity validation techniques that can be stolen and reused. A multi-layered approach to authentication that provides newer and more secure techniques such as passive biometrics and behavioral analytics should be implemented by companies to determine if the expected human user is accessing and transacting on the account or a cybercriminal that needs to be blocked.
Phishing and email-based attacks present a twofold problem for companies to solve; the first is technical controls and the second is human education. Companies should invest in a spam and email filtering service to prevent known or suspicious emails from reaching recipients. Additional controls include end point protection software and configuring the corporate email client to present a banner on any external emails. The banner can be used to warn recipients that it is an external email and to be cautious when opening any attachments, clicking links, or responding. Regarding the human controls, employee security awareness training should be mandatory for all employees and cover what typical phishing attack methods and what should make a recipient suspicious. Finally, a company should also invest in regular phishing security testing on their employees to ensure that the technical controls and human education components are working to prevent a real attack.
Education and basic precautions are the key to avoiding phishing attacks. Users should understand the capabilities of phishers; they should know that anyone can construct a web site that looks just like the real thing, and anyone can get a legitimate certificate for a fake web site. Users should always check the URL they are visiting to make sure it matches what they expect. They should trust their instincts when it seems like something is not quite right, or they are being asked for credentials at an unexpected time.