Wells Fargo Impersonator Manufactures Urgency to Prompt Quick Action in Vishing Attempt
In this credential phishing attack, the threat actor impersonates the “Online Fraud Detections Operations” team at Wells Fargo. Using a Gmail address to improve deliverability, the attacker claims that unusual activity has been detected on the target’s account, and, as a result, access to their online banking service has been restricted. To restore access, the target must contact Wells Fargo via the provided phone number and verify their identity. The threat actor’s goal is to instill a sense of urgency and fear in the victim, prompting them to take immediate action. However, the phone number is controlled by the attacker, not Wells Fargo. If the target calls the number, they will likely be manipulated into providing sensitive information, such as login credentials or financial information, which the attacker can then use to compromise their account.
Older, legacy email security tools struggle to properly identify this email as an attack because it leverages social engineering, contains no attachments, and is sent from an unknown sender. Modern, AI-powered email security solutions analyze the content, detect the unknown sender, and identify the impersonation attempt to correctly mark this email as an attack.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Social Engineering: The content of the email leverages social engineering tactics, such as urgency and fear, which are designed to manipulate human behavior. Legacy tools are not equipped to understand the context or the psychological tactics employed in the content of the email.
- Lack of Attachments: Legacy security tools often rely on scanning attachments for known malware signatures. This email contains no attachments, allowing it to bypass such checks.
- Unknown Sender: The email comes from a sender the recipient's email system has not interacted with before. Legacy security tools often struggle to assess the risk of new senders accurately.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Content Analysis: Abnormal analyzes the language used in the email and identifies signs of a phishing attempt, including the threat of restricted access and the request to call a number for more information.
- Unknown Sender Analysis: Abnormal analyzes the sender's behavior, such as the fact that this is the first time they have sent an email to the recipient, and identifies this as a potential sign of a phishing attempt.
- Email Address Analysis: Abnormal detects that the sender's domain does not match the official email domain typically used by Wells Fargo for official communications. This indicates a potential phishing attempt in which the attacker mimics a reputable institution to deceive the recipient.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.