A recent report by Trustwave SpiderLabs has revealed that technology giant Microsoft and multinational banking firm American Express are the most frequently spoofed companies in phishing emails targeting the financial services industry. The report, titled the 2023 Financial Services Sector Threat Landscape, explores the various threats faced by the financial services industry and highlights the prevalence of phishing and email-borne malware as the primary methods used by cybercriminals to gain unauthorized access to organizations.
Trustwave SpiderLabs has observed “interesting developments” in the delivery methods, techniques, themes, and targeted brands of attacks on financial services over the past year. These developments have contributed to the ongoing relevance and effectiveness of phishing attacks in particular.
The financial services industry has become an increasingly attractive target for cybercriminals. A separate study conducted by Akamai discovered a significant surge in web application and API attacks targeting the global financial services industry. These attacks increased by 65% in the second quarter of 2023 compared to the same period in 2022, resulting in a total of 9 billion attacks over an 18-month time frame. The research revealed that banks bore the majority of these attacks, highlighting the vulnerability of the sector.
In addition to phishing attacks, the financial services sector has also experienced a rise in Distributed Denial of Service (DDoS) attacks. Trustwave SpiderLabs’ report states that the financial services sector now ranks as the top vertical for DDoS attacks, with the EMEA region accounting for 63.5% of global DDoS events.
According to Trustwave SpiderLabs’ data from its financial services client base, HTML files are the most commonly used malicious attachments in phishing emails, comprising 78% of all assessed malicious attachments. These HTML files are primarily employed for credential phishing, redirectors, and HTML smuggling. Furthermore, 33% of HTML files utilize obfuscation as a defense evasion technique.
The report also notes that executables are the second most prevalent type of malicious attachment, accounting for 14% of all assessed attachments. Among the most frequently observed attachments are information stealing malware such as Gootloader, XLoader, Lokibot, Formbook, and Snake Keylogger. Additionally, the dataset revealed the presence of the Agent Tesla Remote Access Trojan (RAT).
In comparison, attackers make limited use of PDFs (3%), Excel files (2%), and Word documents (1%) as malicious attachments, as reported by Trustwave SpiderLabs.
Some of the common themes found in phishing emails with malicious attachments include voicemail notifications, payment receipts, purchase orders, remittances, bank deposits, and quotation requests. The most frequently spoofed brands in these types of attacks are American Express (24%), DHL (21%), and Microsoft (15%).
The report also identifies non-malicious attachment phishing themes, such as “Urgent Action” messages, mailbox-related alerts, document sharing, e-signing, account-related alerts, missed communications, meeting-related notifications, and payment/invoice-related alerts. In these types of attacks, Microsoft (52%), DocuSign (10%), and American Express (8%) are the brands most commonly spoofed.
Finally, the report highlights that in the context of Business Email Compromise (BEC), the most frequently used theme is “Payroll Diversion” at 48%, followed by “Request for Contact” at 23%, and “Task” at 13%.
The findings of the Trustwave SpiderLabs report shed light on the growing threats faced by the financial services industry. As cybercriminals continue to evolve their tactics and target high-profile organizations, it is crucial for financial institutions to remain vigilant and prioritize cybersecurity measures to protect sensitive information and mitigate potential risks.