Royal Bank of Canada is among the most targeted institutions by cyber attacks due to its broad customer base, according to an analysis by Palo Alto Networks.
From December 2019 up to present, cybercriminals have been establishing malicious pages disguised as websites by major companies to conduct phishing attempts and other similarly invasive attacks.
RBC ranked third in the most spoofed domains list, more than streaming giant Netflix and professional networking portal LinkedIn. PayPal and Apple ranked first and second, respectively.
“When you look at the broad customer base that RBC has, it makes sense, especially when you compare it to some of the other big names,” said Jen Miller-Osborn, deputy director of threat research at Palo Alto Networks. “These attackers are going after [domains] where they can make the most money, so they’re focusing on these organizations that have really broad customer bases because that really ups the number of potential victims.”
In an interview with BNN Bloomberg, Miller-Osborn outlined what consumers should be looking out for to filter our fraudulent emails.
“Typically, the ones that are going to be scam-related are trying to invoke some sort of emotional response,” Miller-Osborn said. “So they might say something like ‘Someone tried to change your password, click here to say whether or not that was you,’ or ‘Click here to confirm this charge on your statement,’ or ‘We've locked your account for strange activity.’ Essentially, things that will make people anxious and will make them want to click first, and not take a step back and pause to think, ‘Is that really the kind of email that my bank would usually send?’”
Other red flags include misspellings and basic grammar errors in the message, especially the sender line.
“Attackers try to closely mimic domain names, so you might see the number zero substituted for ‘o’, or a one substituted for the letter ‘l’. Little thing like an extra ‘s’ or ‘c’ in the name. These things, people tend to glance over very quickly and not notice.”
Miller-Osborn said that these measures should be done in concert with the most effective step in deflecting a spoofing attempt: Calling the bank and asking them if the email that they supposedly sent was legitimate.