Banking has overtaken retail as the No. 3 most likely industry target for hackers seeking to acquire and misuse customers’ personal information. These bad actors often pose as representatives of your financial institution in their attempts to get at your login information or account data.

Only technology and shipping companies are more susceptible to being targeted by phishing scammers, as reported by Check Point Research in its Brand Phishing Report for Q1 2021. (Check Point Research is the threat intelligence arm of Check Point Software Technologies Ltd., a leading provider of cybersecurity solutions globally.)

Microsoft continued to be the brand most targeted by brand phishing, representing 39% of all global brand phishing attempts. International shipper DHL came in second, with 18% of such attempts. Rounding out the top 10 brands were: Google (9%), Roblox (6%), Amazon (5%), Wells Fargo (4%), Chase (2%), LinkedIn (2%), Apple (2%) and Dropbox (2%).

“Criminals increased their attempts in Q1 2021 to steal people’s personal data by impersonating leading brands, and our data clearly shows how they change their phishing tactics to increase their chances of success,” said Omer Dembinsky, Data Research Manager at Check Point Research, in a press release. “The change seen this past quarter was in the industry of banking.”

What Is Brand Phishing?

As Check Point Research defines it, “In a brand phishing attack, cyber criminals try to imitate the official website of a well-known brand by using a similar domain name or URL and webpage design to the genuine site.” The targeted individuals may receive a link to the impostor website—via email or text message—inviting them to log in or to verify a transaction or delivery.

Phishing schemes seek to gain access to the customer’s user name, password or other account credentials. If you’ve ever received a text from a number you don’t recognize requesting information you don’t want to provide, or found yourself redirected from one website to another while browsing in cyberspace, you may have been the target of a phishing attack.

One example captured by Check Point Research was a phishing scam conducted via email to a Wells Fargo customer. The email, sent from a spoofed—fake, yet appearing to be legitimate—email address, carried the subject line, “Your Online access has been disabled.” In the body of the email was a “Go To Account” button that would take the user to a—yes, you guessed it—fake website, designed to look like the actual Wells Fargo login page.

As the technology behind websites and apps becomes more sophisticated, so too do the tactics of scammers. While you can sometimes identify illegitimate communications by their spelling errors or other obvious mistakes, the design skills of potential fraudsters are continuing to improve.

Phishing is only one of a variety of common bank scams, which may come in both online and offline versions: ranging from government payment and automatic withdrawal scams to check-cashing and overpayment scams.

Why the Increased Focus on Banking?

As stay-at-home orders caused banks and credit unions temporarily to close branches and customers to move more transactions online, new opportunities were created for potential fraud.

The 2021 Identity Fraud Study, released in late March by Javelin Strategy & Research, confirms that identity fraud is increasingly focused on individual consumer transactions. Total combined fraud losses were $56 billion in 2020, of which $43 billion was attributed to identity fraud scams. Javelin distinguishes between traditional identity fraud, where the customer may not even know they’re a victim, and identity fraud scams, which are targeted to individual consumers.

As Javelin reported, “By targeting consumers directly, the criminals once again find their path of least resistance. Particularly during 2020, where everyone interacted almost exclusively via phone, text, email and via social media platforms, vulnerable consumers were easy and abundant targets.”

Those who are intent on perpetrating fraudulent schemes pay attention to consumer trends, such as increased online and mobile banking. In addition to the increase in digital banking in 2020, consumers generally found themselves transacting more online—choosing delivery services over in-person shopping during the pandemic restrictions, for example.

“Leading bank institutions, such as Wells Fargo and Chase, have now become prime resources for cyber criminals to lure people into brand phishing,” said Dembinsky. “Cyber criminals are looking to capitalize on our activities that involve banks such as filing taxes, fielding stimulus checks and ordering home deliveries.”

What You Can Do to Protect Yourself

As increasing numbers of banking customers choose to transact online, even after pandemic restrictions are lifted, it’s critical to know how to protect your personal information while interacting with your bank and other financial institutions.

Your best defense? Stay alert. Also ensure that both your computer and your smartphone receive regular software updates, which often include security fixes. Take advantage of multi-factor authentication on accounts for which it is available. In addition to your user name and password, multi-factor authentication requires a second identifier—such as a passcode that is authenticated by text or app—making it harder for thieves to access your account.

Stay hypervigilant when it comes to emails or other messages you receive that claim to be from your bank or credit union. Your financial institution will never ask for personally identifiable information via email. If you receive an email to which you believe you should respond, do not click through any link that may appear. Instead, call your bank or credit union’s customer service, or go to the bank’s website directly (not via any link in the email), to verify.

The Federal Trade Commission (FTC) offers resources for consumers on how to recognize and avoid phishing scams. Phishing emails and texts, in addition to being designed to look as if they’re legitimate, often will try to play on your emotions: Look out for subject lines that sound threatening or offers that seem too good to be true. The FTC also encourages anyone who believes they have been the victim of an identity fraud scam to file a report with the FTC.

“As always, we encourage users to be cautious when divulging personal data and credentials to business applications,” said Dembrinsky, “and to think twice before opening email attachments or links, especially emails that claim to be from companies, such as banking institutions, Microsoft or DHL, that are the most likely to be impersonated.”

