How phishing scams target bank customers

Security challenges

Bank customers are ripe targets for email phishing scams. Communication between banks and their customers had been going digital for some time, and then the pandemic amplified this trend even further. This makes for a large number of easy targets – almost everyone has a bank account, but many are far from tech-savvy.

So how to target them? Email offers a valuable path of least resistance for scammers: it’s free, easy to use, and everybody has it. The payoffs for email phishing can be huge for scammers, with simple scams giving them instant access to people’s bank accounts and personal details.

The 2021 Identity Fraud Study, released by Javelin Strategy & Research, found that identity fraud is increasingly focused on individual consumer transactions. They discovered that $56 billion was lost to fraud in 2020, with $43 billion attributed to identity fraud scams.

How do the scams work?

Cybercriminals are ‘spoofing’ the genuine emails being sent from banks, payment firms and e-commerce providers. Email spoofing is where scammers modify the sender display name or use a fake email address that looks very similar to the real one. Good spoofs can be really hard to spot at first glance.  

The email will then usually ask the recipient to log in for a plausible reason. They might ask you to check an unauthorised transfer or log in to retain access to your online services. Once you click on the link within the email, you’ll be taken to a log in portal on a spoofed web address. Same as with the email itself, this will look just like a realistic login portal for your bank.

At this point, if you enter your login details they’ll be farmed by the scammers. Some portals will then redirect you to the real site, making you think the page has just refreshed and you need to try again. The scammers can then use your login details to access your bank account or use your personal details for further identity fraud.

What should I watch out for?

Check for anything out of the ordinary, such as unusual grammar, different tone of voice, or lower quality pictures and logos. However, remember that even if an email looks and sounds real, that doesn’t mean it is. Some phishing emails look very high quality.

You also need to question whether your bank would normally send you this kind of email. Have they made a request like this before? Do they usually email at this sort of time? Phishing emails try to play on your emotions and get you to act fast, before your suspicions can grow, so they’ll often have an urgent subject line or carry a veiled threat about you needing to act quickly.

Keep an eye out for topical events cybercriminals may looks to exploit too. When the EU’s PSD2 regulations came into force, a form of two-factor authentication on any online transactions over £30 was required. Scammers jumped on this, sending mass phishing emails to bank customers asking them for up-to-date info, as part of new Strong Customer Authentication (SCA) requirements.

Why do these attacks keep happening?

These phishing emails are helped in part because legitimate brands include links in their own emails which makes it hard for consumers to spot the difference with phishing emails. Financial institutions often tell customers not to follow links in emails but in the same breath continue to send them emails urging them to click through.

Email itself as a form of business communication remains a problem too. It’s simply such an easy attack route for scammers. Email was never designed to be secure, and the protocols that have grown up around email to make them more secure are little more than sticking plasters. It is hardly surprising the general public can be confused about what is and not a deceptive email.

Want to learn more?

Modern phishing scams are more sophisticated and harder to spot than ever. Learning the signs and understanding the risks are the first steps to keeping yourself and your business safe. Head to our dedicated information hub for everything you need to know about phishing.