TD Bank Impersonator Uses Fake Contact Information Verification Request in Phishing Attack
In this phishing attack, cybercriminals impersonate TD Bank using a spoofed email address to deceive recipients with a fraudulent security alert. The email, which includes impersonated branding from the bank, falsely claims that the recipient’s contact information requires immediate updating to ensure ongoing account protection. To resolve the issue, the email prompts the recipient to log in to their online banking portal using the provided link. However, should the target click the link, they will be redirected to a malicious website designed to steal sensitive information. This attack exploits the recipient's trust in TD Bank and the fear of account compromise to manipulate them into following the provided link without verifying its authenticity.
Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a spoofed email address, is sent from an address unknown to the recipient’s email system, and relies on a malicious link instead of a malicious attachment. Modern, AI-powered email security solutions flag that the sender name and domain do not match, detect links to suspicious domains, and recognize that the sender domain does not match any domains in the message to correctly identify the email as an attack.
Phishing attack disguised as an information request from TD Bank
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The attacker spoofs a legitimate-sounding email address, bypassing basic email verification checks and adding perceived authenticity.
- Unknown Sender: The email comes from a sender the recipient's email system has not interacted with before. Legacy security tools often struggle to assess the risk of new senders accurately.
- Lack of Attachments: By not including any attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Sender Name and Domain Mismatch: The sender name does not match the sender domain, raising suspicion during Abnormal’s analysis.
- Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.
- Unusual Sending Behavior: The sender domain does not match any of the domains found in the body links.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.