Cybercriminals Pose as Capital One and Incorporate Official Branding in Fake Refund Notification
In this phishing attack, cybercriminals use a spoofed email address to impersonate Capital One and send a fraudulent notification about a recent merchant credit refund. To increase the appearance of legitimacy, the attackers incorporate Capital One branding into the sending address, sender display name, subject line, and email content itself. The email informs the recipient that a temporary hold has been placed on their refund for security reasons and urges them to verify their account to complete the refund process. The attacker claims that the refund will be processed within 24-72 hours after verification, creating a sense of urgency and prompting immediate action. Should the target click on the button labeled “Merchant Refund Approval” they will be redirected to a phishing page designed to mimic a Capital One login portal. However, any information they enter into this page will be stolen by the attacker.
Older, legacy email security tools struggle to accurately identify this email as an attack because it is sent from a spoofed email address, employs the use of a legitimate link, and lacks malicious attachments. Modern, AI-powered email security solutions flag that the sender is unknown to the recipient, detect links to suspicious domains, and recognize that the sender domain does not match any domains in the message to correctly identify the email as an attack.
Phishing attack disguised as a Capital One refund approval request
Malicious lookalike portal exploits Capital One branding to trick targets into providing sensitive banking information
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The attacker spoofs a legitimate-sounding email address, bypassing basic email verification checks and adding perceived authenticity.
- Legitimate Link: The link redirects through a link shortener website, which can pass through basic link verification checks due to its seemingly legitimate structure.
- Absence of Malicious Attachments: By not including any attachments and only using a link, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established sender-recipient interaction patterns.
- Suspicious Link Analysis: The presence of links leading to suspicious domains is scrutinized by Abnormal’s systems, triggering deeper analysis for possible malicious intent.
- Unusual Sending Behavior: The sender domain does not match any of the domains found in the body links, raising suspicion.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.