Cybercriminals Impersonate Santander Bank with Fake Identity Verification in Credential Theft Attempt
In this phishing attack, cybercriminals impersonate Santander Bank using a spoofed email address to send fraudulent security alerts to recipients. Using the subject line, "Your online access verification," the email claims that an unauthorized transaction has been detected on the recipient’s account and, as a result, certain online features are temporarily restricted until identity verification is completed. The target is instructed to use the provided link to verify their identity and “prevent deactivation.” However, should the recipient click on the link labeled “Verify Now”, they will be redirected to a malicious website designed to steal sensitive information. This email convincingly impersonates Santander’s branding and mimics the language and format of legitimate Santander Bank communications, creating urgency around account security to manipulate the recipient into following the instructions without questioning the email’s legitimacy.
Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a spoofed address, contains no malware or suspicious attachments, and is sent from a sender with whom no one at the organization previously interacted. Modern AI-powered email security solutions detect suspicious language and links in the email body and recognize that the sender domain does not match the sender’s name to appropriately flag this email as an attack.
Phishing email impersonating official communication from Santander Bank
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The attacker spoofs a legitimate-sounding email address, bypassing basic email verification checks and adding perceived authenticity.
- Lack of Attachments: By not including any attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
- Unknown Sender: The email comes from a sender the recipient's email system has not interacted with before. Legacy security tools often struggle to assess the risk of new senders accurately.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Content Analysis: The email’s urgent message is flagged by Abnormal’s content analysis algorithms as a common phishing tactic.
- Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.
- Sender Name and Domain Mismatch: The sender name does not match the sender domain, raising further suspicion during Abnormal’s analysis.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.