Phishing is a fraudulent attempt to obtain sensitive information by impersonating a trusted source through deceptive messaging. It has been a persistent threat to financial institutions for decades, but the nature of these attacks has changed dramatically.
What once consisted of awkward emails with obvious grammatical errors has evolved into highly coordinated, multichannel schemes involving spoofed phone numbers and email addresses, impersonation of trusted people and more effective social engineering. For financial institutions and their customers, this evolution significantly increases the danger of this threat.
The Early Days: Simple, Single Channel Attacks
In the early years of email, phishing typically was easier to identify. Criminals relied on sending generic mass emails that often had poor grammar and used suspicious-looking email addresses. The malicious request often involved opening an attachment or clicking a link that would install malware or ask for personally identifiable information or account credentials.
Example of a Traditional “Old-School” Attempt:
The Modern Threat: Multichannel, Refined and Personal
Most phishing campaigns now look nothing like these previous rudimentary attempts. Criminals may operate with the sophistication of professional organizations by blending technology, psychology and cross-channel coordination to create believable and persistent fraud attempts.
Characteristics of this modern threat may include:
- Emails, phone calls and text messages that appear to come from legitimate entities
- Spoofed phone numbers used to follow up with “verification” calls
- Text messages mimicking alerts or two-factor authentication requests
- Simultaneous social engineering to pressure victims into acting
- Ability to translate messages into most global languages
This multichannel approach can reduce the victim’s suspicions and drastically increase the account takeover success rates. It also may bypass traditional controls, since communication is happening across multiple channels.
How Financial Institutions Can Protect Themselves and Their Customers
These attempts typically succeed when criminals can impersonate an institution or other trusted entity, convince the victim and move money before detection. Effective mitigation requires proactive education and layered defenses across all three stages.
Conclusion
Phishing has progressed from simple scam attempts via email into coordinated, high-pressure, multichannel attempts that exploit trust, timing and technology. As criminals continue using advanced impersonation and spoofing tactics, defenses must grow equally dynamic.
Proactive education and layered defenses, such as multichannel verification and prompt response capabilities, are critical. By strengthening these areas, financial institutions can protect both themselves and their customers from increasingly complex phishing attempts.
Other Resources
Considerations for Financial Institutions to Detect Scams (PDF)
Infographic: Scam Detection and Mitigation for Financial Institutions (PDF)
Stay Connected
Keep informed about the Fed’s efforts to support payment security and mitigate fraud by joining the FedPayments Improvement Community.