In this phishing attack, cybercriminals impersonate Bank of America and send the target a fraudulent notification regarding a system upgrade. Using an email address hosted on a legitimate free webmail provider, the attacker informs the recipient that due to system updates and maintenance, the target must access their account and complete a verification process using the provided link. However, the link destination is actually a malicious page, which has been obfuscated using a URL shortener. Should the target click the button labeled “Verify Now” and visit the page, any information they enter will be stolen by the attacker. The email leverages professional language, Bank of America branding, and a sense of urgency to increase the appearance of authenticity and encourage the recipient to take immediate action without scrutinizing the email’s legitimacy.

Older, legacy email security tools struggle to accurately identify this email as an attack because it is sent from a reputable email provider, includes embedded links to legitimate domains, and lacks malicious attachments. Modern, AI-powered email security solutions flag the urgent language used in the message, detect links to suspicious domains, and recognize that the sender domain does not match the name of the sender in the message to correctly identify the email as an attack.

Status Bar Dots
SCR 20241105 lcpa

Phishing attack impersonating Bank of America alert

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Reputable Email Provider: The attacker uses a legitimate free hosting email service, which is less likely to be blacklisted and can bypass basic email filters.
  • Legitimate Links Included: The email includes links associated with recognizable domains, which can pass through basic link verification checks due to their legitimate structure.
  • Lack of Attachments: By not including any attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Content Analysis: The email’s urgent message is flagged by Abnormal’s content analysis algorithms as a common phishing tactic.
  • Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.
  • Sender Name and Domain Mismatch: The sender name does not match the sender domain, raising further suspicion during Abnormal’s analysis.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Free Webmail Account
Masked Phishing Link

Theme

Account Verification
Security Update

Impersonated Party

Brand

Impersonated Brands

Bank of America

See How Abnormal Stops Emerging Attacks

See a Demo