Watch out: These phishing emails claiming to be a 'secure message' from your bank

A new campaign is looking to take advantage of the trust customers put into communications with their bank.
Written by Danny Palmer, Senior Writer

Criminals register domains which look like those of legitimate banking websites - but aren't.

Image: Getty

Cyber criminals are faking secure messages from banks as a means of delivering malware to victims.

Often provided through an online portal, banks often provide secure messaging services for the purposes of communicating with the bank without having to pick up the phone or visit the a branch.

Hackers have realised that this provides a new method of attack and are now crafting spoof emails claiming to contain documentation relating to secure messages.

The sorts of clients who opt to use these secure messaging services are often high-value targets who already have a trusting online relationship with their bank - so could be more willing to follow instructions they get in an email from scammers that they believe to be real.

Criminals are registering domains that appear to look like legitimate bank domains and the fact they're fake goes unnoticed because users don't know how to spot an imposter or their email client doesn't show the full domain in the subject line.

Uncovered by security researchers at Barracuda Networks, the campaign uses phishing emails to impersonate customers of big banks including Bank of America and TD Commercial banking.

See also: What is phishing? How to protect yourself from scam emails and more

The spoof messages are designed in such a way so as to look legitimate, even featuring sender addresses which look as if they come from the institution.

In some instances, the messages simply ask the victim to click on and download and attached document. However, others keep up the façade of being 'secure' - some emails provide instructions about using an authorization code to 'unlock' the attachment.


A phishing email sent out in the campaign.

Image: Barracuda Networks

The malicious payload within is able to rewrite the files in the users' directory on Windows machines once the victim opens the document - and this script can potentially missed by anti-virus software, thrown off the scent because they think the document is benign.

However, once downloaded onto the system, criminals have access to it and can update the script at a later date to become something more malicious, such as credential stealing malware - enabling them to stealthily gain access to the bank account of the victim - or something more brazen like ransomware.

Faking email messages might seem like a basic attack, but criminals are deploying this tactic because it works - especially when trusted institutions such as banks are used.

However, the good news is that users can be trained to spot phishing attacks - taking a step back and assessing the legitimacy of an email can go a long way towards protecting an individual or their organisation from falling victim to hackers.


Editorial standards