publishing date icon
December 16, 2021
read time icon
5 min. read

Top 3 Banking Phish of Winter 2021

One of history’s most infamous criminals, Willie “The Actor” Sutton, was once asked by a reporter why he robbed banks. “Because that’s where the money is,” 'Slick Willy' Sutton responded. It’s noteworthy from a cybersecurity perspective that Sutton in post-Depression America was like a phishing attack with a tommy gun, given his tendency for complex heists utilizing disguises. Sutton’s life gives us nice historical context for this week’s Off the Hook about the top 3 banking phishing attacks of winter 2021.

Author image
Jon Gellin
Threat Analyst
facebook iconLinkedin iconTwitter icon
Post hero image

Where there is money, there is crime. It’s as true in today’s cyber world as it was in the post-Depression American criminal world of Willie “The Actor” Sutton. Hence, phishing attacks built on finance and banking-related themes are extremely prevalent. Threats and promises of money often trigger people into reacting hastily. Any theme that triggers careless clicks will be very popular for malicious actors.

Emotions like curiosity, urgency, fear, and greed can keep people from thinking straight and processing the information in a banking phishing email rationally. Rather than logically puzzling out the message, they’ll react instead on pure emotion. Emotional reactions are exactly what malicious actors want. The key to social engineering, after all, is manipulating people into acting against their best interests.

Recent real-world examples use localization

Nordea bank phish localized to Finnish language

  1. Nordea bank

The European financial services group, Nordea was impersonated in a large phishing campaign during September 2021. The phish is a well-crafted fraudulent notification, with visual elements copied from Nordea’s legitimate messages and web sites.

The notification alerts the recipient about a supposed mandatory re-verification, which it describes as simple and safe and fast. But if the re-verification is not done in eight hours, access to the banking ecosystem, credit cards, and bank accounts will be blocked.

Yikes. Anything that threatens access to money is scary. And to amplify the stress, the phish uses a trusted authority impersonation along with a deadline, which are tried and true ways to both establish trust and dial up the level of anxiety via false sense of urgency. The kicker is the consequence for failure to comply with the message’s instructions: do this or else.

During the campaign we saw over 40 different domains being used to spread the email. Landing pages were also hosted on many different domains. Should the recipient have clicked on it, they would be directed to a credential harvesting site asking for personal details and banking information required for the phony re-verification.

More information about landing pages and credential harvesting can be found here!

  1. Sparkasse

Unlike the previous example, this banking phish uses carrots instead of sticks. Sent from an imposter of the German financial firm, Sparkasse, the message is quite neutral in tone so as not to alarm the recipient straightaway. Instead of threatening the recipient, promises of faster website functionality and better data security are dangled as rewards for following instructions. A few facts are mentioned, such as S-CERT conversion and the EU data protection reform, to increase the trustworthiness of the message. The recipient is then promised a convenient way to accept these benefits by logging in normally and following specific steps.

Clicking the link takes the victim to a site asking for personal details and banking information, which are then used by the malicious actors for identity theft and access to the bank account.

Sparkasse bank phish localized to German language


  1. PayPal

Your order is successful! Wait… I don’t recall ordering anything. Or did I?

It is truly frightening to think that someone has gained access to your bank account and is racking up charges. In this phish, the recipient is notified that their order is successful and is being prepared for shipping. The big emotional trigger is that the shipping address is a stranger’s, perhaps on the other side of the world. Quite conveniently though, there is a notice that if the order was not made by the recipient, all they must do is call a number and cancel it. Phew!

The items allegedly ordered can vary. We’ve seen everything from illegal substances and cryptocurrencies to televisions and computers. The prices vary too, but are often kept reasonably low.

Should the phone number be called, the caller is required to provide information such as credit card details, social security numbers and other personal information while pretending to clear up the mistake.

Using a phone number instead of a credential harvesting page as a payload has its downsides, such as requiring much more manual labor and not being as scalable. It does however enable a more personal interaction with the victim, sometimes making it easier to manipulate him or her by being able to react to the tone of the victim’s voice and choosing correct words to gain the victim’s trust.

Staying off the hook

These types of phish are a true security risk for both individuals and organizations, potentially causing losses of large sums of money or sensitive information.

To stay safe, just remember to stay frosty when reading emails. If the message provokes strong emotions such as urgency, fear, greed, or curiosity, take a breath. Think through the steps you should take to verify whether an email from a financial service is real before you act.

  • Verify that the email comes from a legitimate address
  • Check for obvious spelling errors in the message--comms from a legit service will have impeccable grammar
  • Check that links lead to legit bank domains by hovering on the link.
  • Check the greeting: Banks usually greet their customers properly by their name. In phishing messages, the greeting usually is aimed at a “customer” or completely missing.
  • Verify via online banking messaging. The best and often easiest method to stay off the hook from this type of attack is to navigate to the bank's site by manually typing it in your browsers URL-field. Any legitimate notifications sent to you by email should also be found in the messaging tab of the banking site.


Hoxhunt response

Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. Working together with our powerful machine learning model, they cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.

Subscribe to our newsletter