Beware SVB Scams

Last week saw the collapse of two US banks.  Silicon Valley Bank (SVB) collapsed on Friday (March 10th), with Signature Bank following suit on Sunday (March 12th).  On Monday, the UK Chancellor shared the news that HSBC has bought the UK arm of SVB for £1, providing stability for customers, and on the same day the US Reserve has made assurances to US customers.  It is highly likely that this turmoil in the financial sector will result in an increase in cyber-attacks and fraud, as criminals seek to exploit the very human emotions of fear and hope surrounding their finances.

At Symantec we are continually vigilant against evolving cyber-attacks.  We already see signs that scammers are looking to exploit this event. This is what we expect will happen and how you can protect yourself. 

A typical scam / fraud delivered by email is likely to involve these steps:

• The attacker will look to exploit existing, legitimate email domains.  Attackers will be looking to impersonate financial organizations, regulators or other ‘trusted’ brands.  To combat this, the email domain owners can use sender authentication techniques to limit who can send email using that domain - and this information can be used by receiving email gateways to block or allow messages. There is a risk that some email domains have not been fully secured in this way.
• The attacker will use newly created email or web domains. To bypass the security layer above, we expect to see attackers create new email or web domains that appear to be legitimate.  Symantec threat research teams have already seen a number of new websites and domains being created (featuring ‘svb’, which indicate that infrastructure is being created to support phishing campaigns)
• The attacker may decide to impersonate a legitimate sounding email address. We may see attackers creating something like SVBsecurity or HSBC_transfer.  These can be hard to spot, so it is highly recommended that end-users be reminded to look at the full email domain that has been used in emails they receive. 
• Business Email Compromise and scams rely on a mixture of convincing content, urgency (playing on hopes and fears), and action that involves providing normally withheld information or a financial transaction.  Sometimes you will be asked to sign into your account from a link or to phone someone using a phone number contained in the email.  These are some of the most common warning signs.
• It is also likely that the attacker will be relying on the overall disruption facing these banks, so even if customers realize they may have become victim of fraud, there may be a delay in taking action to limit the fraud or catch the attackers.

So, what can you do about this?

Email Security Teams

• First, be vigilant against the very real risk that your organization could be a target of fraud.  
• Ensure that your email security settings are such that they will block email that fails sender authentication standards.
• Switch on email impersonation detection to flag suspicious email, especially those impersonating financial institutions that have been recently in the news.
• Ensure anti-phishing protection is in place (eg URL scanning, web isolation etc).
• Alert end users about the risks of phishing emails and BEC attacks. 
• Remind staff that they shouldn’t rush to take action based on information sent to them by email, or even received by phone. Recommend that for such requests, users step back and ask, “is this something I would expect my bank / customer / supplier to ask?”
• Highlight to users the ‘red flags’ to look out for such as look alike email addresses, poor grammar, urgency to act, an out of character request and to hover over links so the full web address can be inspected.  If they have concerns, they should stop and report the contact.
•  Establish an incident response system so any end user can immediately report suspicious requests - and the appropriate remedial response can be taken (alert others, work with the financial team to recover losses from fraud etc).

Finance Departments

We also recommend that business - and in particular finance teams - review their approval processes to ensure there are appropriate and independent approval processes concerning the creation and changing of account details (including within the supply chain).

With the risk of Business Email Compromise attacks and fraud being high, it is vital that you verify any contact details, links, or phone numbers.  Call the sender back using the trusted contact details you already hold on record (for example on a recent bank statement), or contact your usual bank representative.  Hover over any links in an email to see the full address before clicking.

Symantec Email Security customers already benefit from protection against these types of attacks:

• Sender Authentication protection - emails that originate from unrecognized sender sources will not be delivered (this depends on the sending organization having an approved sender list)
• Email Impersonation - identifies look-alike email domains and takes action
• Email Fraud - built in analyzers scan email content for phrases, grammar and spelling clues that indicate fraud.
• Phishing attacks - are blocked on delivery and at click time, drawing on Symantec’s Global Intelligence Network (GIN) block access to dangerous links.  Symantec’s GIN takes threat data from endpoint, web, cloud security and email to provide a holistic view of threats.
• Email Isolation - ensures that lower risk weblinks are isolated to stop users from downloading malware or giving up sensitive information.

For more information about Symantec Email Security.cloud visit our website.