Perhaps best-known for bringing a civil fraud case against Donald Trump, the verdict of which is expected to be announced later this month, New York Attorney General Letitia James is now focusing on the fraud committed by cybercriminals against Citibank customers – and the bank’s failure to protect them. 

On January 30th, James sued Citibank, alleging that the bank’s online protections are not strong enough to stop unauthorized takeover of customer accounts. The lawsuit also claims that, after funds are stolen, Citi misleads account holders about their rights and denies reimbursing them. James is seeking to require the company to pay back defrauded New Yorkers and to adopt enhanced anti-fraud defenses to prevent scams.

The finance industry has long been one of the primary targets of cyberattackers due to the potential therein for huge monetary gain. Financial institutions have been sucked into a game of cat-and-mouse, where they’re constantly working with their cybersecurity partners to plug the holes in their defenses and thwart the latest attack vectors. 

However, this just causes attackers to adapt and find new vulnerabilities. These days, rather than targeting a bank’s own systems directly, hackers are more likely to use phishing techniques to aid in impersonation attacks, misleading customers into entering sensitive data on spoofed websites. It is these customers who are most at risk – and it is no longer enough for banks and big companies to shrug off all responsibility. The Citibank case is just one reflection of the growing public desire for financial institutions to adapt to this reality and protect their customers adequately. 

Customers Are The Main Target

Of particular concern is that it’s not only big banks with broad name recognition who are subject to such attacks. In a 2022 analysis of over 50 million websites, Allure Security found that in the first 90 days of that year, more than 20% of smaller regional banks and credit unions were also faced with brand impersonation attacks. 

Brand impersonation attacks aim to deceive banks’ customers, and they can take on various guises. Malicious actors employ a combination of emails, phone calls, SMS messages and more, spamming customers with messages that appear to be legitimate. The idea is to encourage victims to click on a link that redirects them to a fake version of their bank’s website. If the customer is fooled, they will willingly enter their login credentials and personal information, which is subsequently used by the attackers to access their accounts and steal their savings. When these attacks are successful, they don’t just harm the customers, but also erode the banks’ reputations, leading to a loss of trust and loyalty. 

The escalation in brand impersonation attacks illustrates how customer protection has become a blind spot, especially in the financial services industry, says Israel Mazin, co-founder and chief executive of Memcyco, a company that develops software to help companies protect themselves from website spoofing. 

“AI has made brand impersonation fraud an off-the-shelf commodity for seamlessly cloning legitimate websites,” Mazin said. “Particularly for financial services providers, digital impersonation scams are now a top threat. Worse still, the shockingly-convincing nature of fraud leveraging brand impersonation scams, makes it harder for businesses to even map where those customer-protection blind spots are, making the damage to reputation, 'below the waterline', almost incalculable.”

Fighting Back In Real-Time

Memcyco was founded to address such blind spots, having developed a suite of tools that aim to identify website impersonation attacks and stop them in their tracks. Its solution provides both real-time detection of spoofed websites, plus protections for customers who may inadvertently visit them. The moment a fake website goes live, Memcyco can detect it and inform the bank it’s being impersonated and that its customers are at risk. Banks can then take immediate action to get the spoofed website taken down as quickly as possible, while protecting their customers in the meantime.

One of Memcyco’s key innovations is its ability to do something about those fake sites before they’re taken offline. Unlike other solutions, the company has developed the ability to display a Red Alert notification in real-time that warns customers they’re accessing a fake website, rather than the real thing. It goes further too, displaying a digital watermark on a bank’s legitimate web properties to reassure its customers that they’re on the correct website.  

To illustrate how its novel brand impersonation prevention solutions work, Mazin cited the example of one of North America’s premier banks, which was dealing with an escalation in phishing and brandjacking attacks that were designed to steal its customer’s credit card details. The attacks were extremely sophisticated, the fake websites were tremendously convincing, and the bank was unable to do anything about it, putting it in danger of suffering serious financial losses and untold damage to its reputation. 

But once Memcyco deployed its Customer ATO and Fraud Protection solutions, the bank gained the ability to warn its customers whenever they visited a fake website, preventing the loss of their personal information. At the same time, the bank worked with Memcyco to try and identify the attackers responsible. This involved using decoy data, which was entered into the fake websites to track how and when it was used. 

Additionally, the bank was able to detect hundreds of credit card fraud attempts in real-time and warn its customers. This led to a significant and immediate decrease in usage of stolen credit card data, and as a consequence, the bank was able to reduce its customer compensation budget. The bank also benefited from productivity gains, as its security operations teams gained additional time to focus on other kinds of cyberattacks and investigations. 

Proactive Defense Breeds Customer Loyalty

Preventative measures against phishing and impersonation attacks are essential for the financial services industry in particular, an industry that works extremely hard to build trust with its customers. Reputational damages are hard to recover from, and customers who lose funds due to attacks are doubtful to simply “forget and forgive.”

As such, the onus is on the banks to try and prevent these attacks from happening in the first place. By ensuring they have their customers’ backs, banks can foster a reputation of trust that leads to increased customer retention and loyalty.