Phishing is a fraudulent attempt to obtain sensitive information by impersonating a trusted source through deceptive messaging. It has been a persistent threat to financial institutions for decades, but the nature of these attacks has changed dramatically. What once consisted of awkward emails with obvious grammatical errors has evolved into highly coordinated, multichannel schemes involving spoofed phone numbers and email addresses, impersonation of trusted people, and more effective social engineering. For financial institutions and their customers, this evolution significantly increases the danger of this threat.
The early days: Simple, single channel attacks
In the early years of email, phishing typically was easier to identify. Criminals relied on sending generic mass emails that often had poor grammar and used suspicious-looking email addresses. The malicious request often involved opening an attachment or clicking a link that would install malware or ask for personally identifiable information or account credentials.
Example of a Traditional “Old-School” Attempt:
The modern threat: Multichannel, refined and personal
Most phishing campaigns now look nothing like these previous rudimentary attempts. Criminals may operate with the sophistication of professional organizations by blending technology, psychology and cross-channel coordination to create believable and persistent fraud attempts.
Characteristics of this modern threat may include:
- Emails, phone calls and text messages that appear to come from legitimate entities
- Spoofed phone numbers used to follow up with “verification” calls
- Text messages mimicking alerts or two-factor authentication requests
- Simultaneous social engineering to pressure victims into acting
- Ability to translate messages into most global languages
This multichannel approach can reduce the victim’s suspicions and drastically increase account takeover success rates. It also may bypass traditional controls, since communication is happening across multiple channels.
How financial institutions can protect themselves and their customers
These attempts typically succeed when criminals can impersonate an institution or other trusted entity, convince the victim and move money before detection. Effective mitigation requires proactive education and layered defenses across all three stages.
Prevent
Stop criminals from successfully impersonating the institution.
| Defenses | Channel | Why This Matters | Examples |
|---|---|---|---|
| Sender identity verification | Prevents criminals from sending emails that appear to come from the financial institution’s domain | Email authentication methods:
|
|
| Caller identity verification | Phone | Reduces the effectiveness of caller ID spoofing used in impersonation scams | Stir/shaken: Secure telephone identity revisited and signature-based handing of asserted information using tokens |
| Brand and domain protection | Email/web | Identifies fraudulent domains or websites impersonating the financial institution early when large campaigns launch |
|
Verify
Help customers or employees confirm whether a communication is legitimate.
| Capability | Channel | Why This Matters | Examples |
|---|---|---|---|
| Customer scam awareness | All customer communication channels | Customers who recognize scam tactics may be less likely to engage with criminals |
|
| Secure customer communication channels | Online banking/mobile | Provides a trusted place for customers to verify message claiming to be from the financial institution |
|
| Out-of-band verification procedures | Phone/email | Confirms high-risk requests using a secondary, trusted communication method |
|
Disrupt
Stop or identify the fraud before money leaves the account.
| Capability | Channel | Why This Matters | Examples |
|---|---|---|---|
| Transaction verification controls | Digital banking/phone | Prevents criminals from completing high-risk payment requests | Dual authorization and payment confirmation |
| Suspicious activity monitoring | Digital banking | Detects unusual behavior associated with scams or account takeover | Behavioral monitoring tools (e.g., tools that establish a baseline for customers and identify irregular patterns) |
| Customer transaction alerts | SMS/email/app | Enables customers to quickly identify and report unauthorized activity | Real-time alerts and push notifications |
Phishing has progressed from simple scam attempts via email into coordinated, high-pressure, multichannel attempts that exploit trust, timing and technology. As criminals continue using advanced impersonation and spoofing tactics, defenses must grow equally dynamic.
Proactive education and layered defenses, such as multichannel verification and prompt response capabilities, are critical. By strengthening these areas, financial institutions can protect both themselves and their customers from increasingly complex phishing attempts.
