Fraudsters are launching phishing attacks that exploit strong customer authentication (SCA) to steal users’ banking credentials.

Which? reported on a series of phishing attacks that masqueraded as official correspondence from Santander, Royal Bank of Scotland (RBS) and HSBC. The attack emails drew in recipients by invoking SCA.

A response to the Payment Services Regulations 2017, or PSD2, SCA consists of new security checks that are expected to become increasingly common in online shopping and banking transactions processed within the U.K. and European Union (EU). Banks, card providers and retailers have thus begun asking users to provide up-to-date contact information so they can implement SCA going forward.

To capitalize on this trend, attackers are targeting banking customers with fraudulent SCA messages. Specifically, they are crafting phishing emails informing recipients that they need their most up-to-date personal details. These messages contain links that redirect recipients to fraudulent websites designed to steal their personal information, giving threat actors all the data they need to access victims’ bank accounts.

Just the Latest Digital Threat Targeting Banks

In mid-August, Reuters reported on a similar attack in which the European Central Bank (ECB) shut down one of its websites after criminals compromised it with malware to facilitate future phishing attacks. About two weeks later, Cofense uncovered a sample of Trickbot that used Google Docs to bypass an email gateway. In September 2019, Cofense spotted phishing emails that used SharePoint to bypass this same technology.

How to Defend Against Phishing Attacks

Security professionals can help organizations defend against phishing attacks by using ahead-of-threat detection to spot suspicious domains before they are activated in attack campaigns. Companies should also look to integrate phishing intelligence with their security information and event management (SIEM) to reduce the amount of time needed to analyze an attack’s severity and impact.

more from

What Do Financial Institutions Need to Know About the SEC’s Proposed Cybersecurity Rules?

On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal […]