Phishing is the oldest weapon in a fraudster’s war chest and still serves as the most common form of cyber-attack around. Phishing attacks reached a record high in 2022, according to the Anti-Phishing Working Group, with banks continuing to be the number one target. 

What has become known to many consumers is how to spot most phishing emails when they hit their inbox. For the few that are successful, what remains unknown, is what happens after a phishing attack? Some get lucky, and the theft of personally identifiable information (PII) amounts to nothing. It could be that sensitive information was stolen but never sold or purchased on the dark web. Or perhaps it IS purchased, but the fraudster doesn’t get around to attacking everyone on the list. Who knows? 

Unfortunately, not everyone is lucky. Some individuals are attacked within 24 hours of their sensitive details being stolen. This is often the case when it comes to phishing sites, otherwise known as lookalike sites. If a customer enters their details into a phishing site and the fraudster captures their login details, they can easily access the customer’s bank account without triggering any alarms. And if the providing bank doesn’t have adequate fraud controls in place, they are free to empty a person's account and leave both the customer and providing bank with a huge headache to deal with in the morning. 

It’s important to study the tracks of fraudsters following early detection of phishing sites. Leveraging device and behavioural analysis, it is now possible to shed light on what happens after a successful phishing attack what happens after a successful phishing attack. 

Recently, a large U.S. financial institution found itself the target of a massive phishing campaign. With the right fraud detection technology in place, they were able to uncover this attack early, better understand the downstream impact, and act accordingly. 

127 victims unknowingly entered their full login details into the phishing site before it was shut down. Over the next two weeks, the following activity within the 127 accounts was observed: 

30% went on to login from a location that was far away from their known location 

For example, with one particular victim, it was evident that the legitimate user normally conducts login and payment sessions in New Zealand. But shortly after entering their login details into a rogue phishing site we suddenly started seeing logins from Florida. Subsequent login attempts then started happening in Boston, suggesting the login details were being passed around from one fraudster to another.  

9% logged in from a location impossibly far away from their last login location, given the time in between sessions 

Sometimes, a login location can sit on the borderline of believability because it’s not too far away from the typical login location. This is where common sense and behavioral rules can prevail. By simply setting up a rule that asks the question - is this login location possible considering where the user last logged in at a particular time? This straightforward insight can give a bank much more confidence to intervene in a session and know you are not interrupting a legitimate session being conducted by the true owner of the account. 

23% made a payment that was flagged as a high-risk amount 

There are many reasons a payment can be concluded as high risk. It could be because the payment is being made from an unusual location. It could be because the device being used to make the transaction is unfamiliar. Or it could be because the amount being transferred is not typical of previous behavior. In terms of the 127 accounts, it was a mixture of all of the above, particularly the sudden out-of-character large payment transfers going on within the accounts. With behavior in place, you are better positioned to intervene with these transactions. Stopping the money leaving the account and preventing the fraud altogether is a far better option than managing the fall-out with customers and fronting the potential fraud bills. 

15% of the accounts were later flagged for the use of a Remote Access Tool (RAT) 

RATs are commonly used by fraudsters to navigate around a customer's account from afar. Fraudsters can operate under the radar, remain anonymous and conduct fraudulent activities on the victim's device. Behavioral biometrics can identify the use of a RAT in a session by analyzing mouse movement patterns. The remote access connection can result in a jumpy, inconsistent mouse motion which looks quite different from a normal user. 

12% pasted in the login fields for the first time 

Copying and pasting is a convenient keyboard shortcut we all use in our daily lives. However, in the context of filling in a new account application or logging into an existing account, the act of copying and pasting is highly suspicious. Why? Because legitimate users do not copy and paste their email addresses or other types of PII into an online form. This personal data sits in the owner's long-term memory bank and is typically typed in. There is only a benefit for a fraudster to use the copy and paste function in this context because they are NOT familiar with the data and it’s quicker to attack multiple accounts using the copy and paste feature. 

These five telling insights extracted from just 14 days of activity after the 127 victims were fooled into sharing their data with a phishing site give us some indication of ‘what happens next?’ The data is further proof that phishing is just the beginning of a wider plan that is coordinated by multiple fraudsters working together on a global scale. So, what can we do to combat these fraudsters and these lookalike phishing sites? 

The Need for Speed 

The above talks about the worst-case scenario. 127 customers were fooled into sharing their login details. And then a whole lot of interesting fraudulent activity happened soon after. However, as insightful as it all is, we’d all rather there was no fraudulent activity or victims at all. Unfortunately, due to the relentless pursuit of fraudsters, this is not easily achieved. The best-case scenario is to turn the 127 victims into a small handful of victims by taking the following quick preventative measures: 

STEP 1: Learn about the existence of the phishing site, quickly! 

STEP 2: Take the necessary steps to get the phishing site shut down, quickly! 

STEP 3: Alert the victims they need to update their login details, quickly! 

These simple three steps are somewhat commonsensical, but its critical to recognise the value of acting quickly. In the case of one phishing site, the analysis showed that in the 27 days it took existing fraud controls to detect the site and get it shut down, the phishing site obtained another 877 victims after the initial 24 hours of creation. The handful of victims in the first 24 hours turned into hundreds in a matter of days and the potential clean-up process became a much larger job.