A new phishing scam is emerging to trick consumers into handing over their sensitive financial details, according to Which?
Cyber criminals are spoofing the emails being sent from banks, payment firms and e-commerce providers asking for up-to-date info, as part of new Strong Customer Authentication (SCA) requirements. The changes are part of the EU’s PSD2, (Revised Payment Services Directive) which will require a form of two-factor authentication on any online transactions over £30. The UK’s implementation of these rules has been delayed for a further 18 months, from the original September 14 deadline.
Phishing emails imitating emails targeting customers from Santander, Royal Bank of Scotland (RBS) and HSBC, have already been seen.
What to look for:
The phishing email which will likely be untargeted, will ask the recipient to update their banking information ahead of “new procedures,” Within the email they include links designed to take the victim to a legitimate-looking banking page designed to harvest banking details.
These phishing emails are helped in part because legitimate brands include links in their own emails and make it hard for consumers to spot the difference with phishing emails. The brands also use multiple unusual domains when sending out legitimate marketing emails – so you can see why it’s hard for anyone to be certain whose email is legitimate. Financial institutions often tell customers not to follow links in emails but in the same breath continue to send them emails urging them to click through. It is hardly surprising the general public can be confused about what is and not a deceptive email.
Email as implemented today is a terrible system for conducting business. It was never designed to be secure, and the protocols that have grown up around email to make them more secure are essentially like bringing a sticky plaster to a gaping wound. The email phishing problems will continue to grow as more companies move to Office 365 and cloud-based email. Most businesses move to take advantage of the increased productivity apps and reduce costs, but also find a huge up tick in phishing attacks which target staff to harvest their password credentials taking them to a cloned Office 365 log in page for example.
Unlike consumers, companies have some vendor choices to secure staff against direct impersonation attacks. The latest Cloud Email Security Supplements (CESS) have been specifically designed for a cloud-based email environment and can detect and defend against these new threats. Egress Defend solution is uniquely shaped and guided by GCHQ and NCSC and detects up to nation state advanced phishing threats and makes staff aware why an email has been flagged. If your business has moved to Office 365 and is getting ongoing phishing attacks, then we have the solution.