TSB Bank Impersonator Uses Look-alike Domain in Likely AI-Generated Credential Phishing Attack
This likely AI-generated credential phishing attack features an impersonation of a customer support representative from TSB Bank, a bank in the United Kingdom. The attacker informs the recipient that an ongoing IT migration may temporarily restrict access to their account. The recipient is supposed to click the "Proceed Here" link embedded in the email to restore full access to their account. Should the recipient click the link and enter their banking login credentials, the attacker can capture this information and gain unauthorized access to the recipient's account. This attack is sophisticated because the attacker utilizes an unregistered look-alike domain, "firstname.lastname@example.org," as a mask since any replies to the email will go to the attacker's actual address, "email@example.com." The mask resembles TSB Bank's legitimate domain, adding a layer of social engineering to this attack.
Due to the unknown email, phishing link, and social engineering tactics in the email, legacy email security tools have difficulty accurately flagging this as an attack. With social engineering detection, the presence of a mismatched reply-to address, and link analysis, an AI-powered email security solution can properly identify this email as an attack.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Unknown Email: The email address is unknown and has never sent the recipient messages in the past. Legacy tools might not consider this a risk factor, allowing the email to bypass security checks.
- Phishing Link: The email contains a link that could potentially be malicious. Legacy tools might not be able to analyze the link for potential threats.
- Social Engineering: The email uses social engineering tactics to trick the recipient into clicking the link by creating a sense of urgency, pretending to be from a bank. Legacy tools might not be able to detect this.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Link Analysis: Abnormal analyzes links in the email for potential threats. In this case, the link is likely a phishing site where sensitive information is at risk.
- Social Engineering Detection: Abnormal’s AI detects social engineering tactics in emails. This email creates a sense of urgency and importance to trick the recipient into clicking the malicious link.
- Mismatched Reply-To Address: Abnormal identifies when the “reply-to” email address does not match the “sender” email address, often a sign of a phishing attempt. In this case, the reply-to email address is “firstname.lastname@example.org,” which does not match the “sender” email address “email@example.com.”
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.