Image: GrafVishenka, Getty Images/iStockPhotos

Phishing campaigns work by impersonating well-known companies, brands, and products. By targeting a large number of users, attackers hope to hit enough people who have accounts with the spoofed companies as a way to capture their account credentials. Some of the top exploited brands for phishing attacks include Apple, Netflix, Microsoft, eBay, and PayPal. But another type of company prone to being spoofed is a bank. That makes sense as cybercriminals who gain access to your banking credentials can do a lot of damage.

SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic Premium)

A blog post published Thursday by security provider Armorblox explains how a recent phishing campaign impersonates Bank of America. In this attack, which hit the inbox of an Armorblox customer, the recipient receives an email that claims to come from Bank of America with a request and link to update their email address.

Clicking on the link takes the user to a credential phishing page built to resemble the Bank of America (BOA) home page. To lend legitimacy to the campaign, a page pops up asking readers to set up three security questions, a common method used on actual websites, including the BOA site, to help authenticate users. If someone takes the bait, the criminals gain access not just to their banking credentials but to their security questions and answers.

Image: Armorblox

This type of campaign can trick people and prove successful for several reasons, as detailed by Armorblox.

  1. Not a mass email. This particular phishing email was not distributed in bulk but was sent to just a few people in the target organization. As such, the email eluded the bulk email filters from Microsoft and the organization’s Secure Email Gateway (SEG).
  2. Got past authentication checks. Though the sender’s name of Bank of America was spoofed, the email was sent from a personal Yahoo Mail account via SendGrid. For that reason, the email snuck past all the usual authentication methods, including SPF, DKIM, and DMARC.
  3. Zero-day link and lookalike website. Because the attacker created a new domain to host the phony landing page, the link to it in the email evaded filters designed to block known bad links. The landing page itself mimicked the look and layout of an actual BOA page. The only clue to its illegitimacy was in the URL in the address field, which pointed to a domain called rather than
  4. Security challenge questions lend legitimacy. After entering their BOA account credentials, users are directed to the page with three security questions. This tactic increases the legitimacy of the attack, especially as the actual BOA website uses the same security method.
  5. Socially engineered. Unlike bulk phishing campaigns, this attack was purposely devised to trigger the required response. By impersonating the Bank of America, the email appears legitimate at face value, especially to busy people facing a crowded inbox with other messages waiting.

“Organizations need to invest in email security solutions that do not rely solely on threat feeds, metadata, or DMARC, but instead look at a much broader set of signals that include user identity, user behavior, and most importantly the language in the communications,” Armorblox said. “Never has it been more important to invest in technical controls that understand the language of communications than today when zero-day credential phishing attacks have peaked.”