Threat Report: BEC in the Financial Services Sector

Both organizations and individuals can’t be too careful when it comes to digital financial transactions. One small error can lead to a lot of inconvenience, and in some cases, irreversible losses. Based on recent statistics by the United States Government Accountability Office, improper payments (those made in error or for incorrect amounts) have posed a persistent challenge to government operations for more than 20 years. In fiscal year 2024 alone, 16 federal agencies reported an estimated $162 billion in such payments across 68 programs, with overpayments making up approximately 84% of that total.

In some cases, victims are deliberately manipulated to do a wrong transfer, in the form of impersonation, social engineering, or the lure of financial gains. According to the latest report by APWG, attacks targeting online payment platforms and financial institutions surged in Q1 2025, collectively accounting for 30.9% of all phishing activity.

What really concerns financial institutions more is Business Email Compromise (BEC) attacks, which are not limited to typical, indiscriminate typosquating. They are the targeted and calculated attempts blending social engineering and spoofed identities to trick employees into transferring funds or leaking sensitive data. According to IC3, in 2024 alone, reported threats from spoofing, phishing, and BEC totaled over 214,850.

In this analysis, the researchers at PreCrime™ Labs, the research team at BforeAI, observed 3756 suspicious and newly registered domains in April, May, and June of this year. While additional domains bring the total of the dataset closer to 4000, they do not fit in the suggested time frame. Our primary focus is on 31 core financial services brands across several key categories including banking, credit card companies, lenders, and payment platforms.

However, other banks based outside of the US were also observed as a part of various similar cybercriminal infrastructures, indicating a global targeting pattern.

• Domains observed: 3756
• Time range: 3 months (April 1 through June 30, 2025)
• Top 3 registrars: GoDaddy.com, LLC, Dynadot Inc, Tucows Domains Inc.
• Top 3 registering countries: United States, China, United Kingdom
• Top 5 TLDs (Top Level Domains): .com (1992), .info (260), .xyz (203), .online (105), .icu (104)
• Finance based TLDs: .finance, .financial, .money, .loan, .cash, .fund, .credit, .cards, .accountant, .bank, .investments, .capital, .exchange, .market, .insurance

Domain registration trends throughout the quarter showed a notable spike in activity, especially targeting financial brands. April saw a high volume of registrations, followed by a slight dip in May, and then a sharp rise in June, especially towards end of the month. June also recorded the highest number of domain registrations overall. Between June 22 and June 30, 2025, there were at least 22 domains registered daily, peaking at 81 registrations on June 27 alone.

Beyond this, a consistent count of 10 or more newly registered domains were observed daily, with fluctuations continuing through the end of the quarter. This sudden surge could indicate a sign of preparation for upcoming seasonal retail sales or early travel-related promotions, during which many financial institutions roll out offers and rewards, making this period a prime target for cybercriminals looking to spoof legitimate offers.

In the period between April 1 and June 30, 2025, sophisticated BEC campaigns leveraged typosquatted domains, AI inclusive domain algorithms, and search engine optimization tactics exploiting brand familiarity. Newly registered domains actively exploited brands like PayPal, Visa, Monzo, and Cash App, likely to manipulate SEO tactics to redirect users to crypto exchanges and gambling sites. Theme-specific campaigns such as fake helpdesk and support centers were found to be distributing malicious executables. There was a case identified in which criminals used Telegram and Session to sell prepaid cards likely acquired using stolen information. For sustained campaigns and rapid scalability, AI-driven domain generation algorithms were deployed mimicking typical login pages.

Impact on financial institutions

The financial industry is severely impacted by criminal phishing and impersonation schemes that not only affect the brands themselves but also consumers, partners, vendors, and other industries that trust that institution. The impact is not limited to direct losses from frauds, but also in the form of regulatory scrutiny and fines or legal fees in some severe cases. When it comes to region specific phishing attempts, different regulatory and compliance can adversely affect the financial institution, for example, breaches of data privacy regulations (GDPR, CCPA, etc.) or non-compliance with financial industry specific regulations (PCI DSS, NYDFS, etc.). 

The credentials that are harvested through phishing lookalike login pages are often used to steal more information or to use as a convincing social engineering tool. Sometimes, these credentials also wind up on sale on the dark web, along with stolen credit card details, supporting cybercriminals seeking to conduct skimming and carding attacks.

Stolen credentials become a part of the cybercrime ecosystem where the data is sold on different marketplaces or used for crime propagation. User logins, passwords, and credit and debit card data are sold on marketplaces or Telegram as part of a subscription service. A criminal looking to target a particular financial brand can purchase these credentials and use them for the next set of attacks. From here, attackers can deploy ransomware, engage in sophisticated social engineering, or employ alternate phishing techniques, such as whaling, vishing, etc.

Prominent recent examples of these tactics are the Russian Market and Bidencash incidents. As of April 2025, over 910,380 stolen credit card records were leaked by threat actors. 

Stolen or compromised accounts can lead to CEO impersonations, or even typosquatted domains that demand instant funds transfer. According to Coalition’s 2025 Cyber Claims Report, nearly 30% of BEC incidents involved funds transfer fraud (FTF).

Mitigation strategies and recommendations

In combating BEC and phishing attempts, especially in sensitive industries like finance and banking, a contextual intelligence-driven approach can help minimize the impact. While the need for traditional detection systems remains critical, it is also essential to monitor predictive behavior, in order to anticipate how threat infrastructure evolves in real-time.

Traditional Mitigation and Remediation

• Enforce robust email policies. Email attachments and embedded links should be scanned using signature-based tools and basic sandboxing techniques and threat intelligence tools should receive constant enrichment, like blocklists or indicators sourced from public repositories.
• Ensure traditional detection systems that help fight phishing and BEC attacks, such as spam filters, antivirus email gateways, and basic sender verification protocols like SPF, DKIM, and DMARC are enforced.
• Commit to regular employee security awareness training, supplemented by reminders or simulations help reduce employee actions that lead to breaches.
• Maintain credential security policies that require frequent password resets and updates.
• Regularly reassess the email security of third party vendors, not just relying on their onboarding assessment

Future-Leaning Mitigation and Remediation

• Monitor external infrastructure for indicators of future attack/abuse with predictive capabilities to preemptively block or neutralize attacks before they can be launched.
• Utilize solutions that enable autonomous malicious infrastructure takedowns at scale, to counter quickly emerging AI-generated infrastructure.
• Leverage threat analysis based on contextual intelligence and indicators of maliciousness— like sender geography, domain details, IP evaluation, registrant details– should be considered to predict effectively, out-throwing adversarial infrastructure.
• Deploy advanced phishing awareness training with continuous simulations or gamified training modules, especially for highly vulnerable teams like finance or HR.

Leveraging current news and business movement

J.P. Morgan recently announced its strategic collaboration with PayPal to expand merchant acquisition across the U.K. and European markets and powered by its PayCommerce platform and the launch of its Fastlane guest checkout solution. High-profile financial partnerships such as these are always on cybercriminals’ radars. There was a notable surge in suspicious domain registrations overlapping J.P. Morgan and PayPal branding, especially using European TLDs (e.g., “.uk”, “.fr”, “.de”) or domain names containing geographic or brand-aligned keywords.

One name, multiple businesses

In one notable example, Cash App, a popular financial business in the US, was targeted with multiple newly-emerged typosquats. However, these domains don’t directly target Cash App, but offer fake opportunities for “making cash” by performing simple tasks. WeCash is one such example, encouraging people to download different apps and filling the apps’ survey forms, and promising the classic bait of “earn free cash”.

In another similar example, we saw a website titled “Tip Me on Cash App” redirecting users to an individual’s Venmo account, creating suspicion whether this transaction is legitimate. Another trend included “casino cash app” domains, which, while not directly targeting Cash App itself, served as alternative phishing lures by promoting gambling-related scams. Likewise, in the case of Payoneer, we identified domain overlaps with a hospitality business of the same name, adding to user confusion and increasing the risk of accidental interaction with fraudulent or unrelated services.

It is interesting to note that such websites may or may not be outright fraudulent, but they definitely create confusion and ambiguity for users. These websites may wind up being opportunistic marketing or scams, making their intent dubious at best. Subtle tactics used in domain naming can manipulate SEO rankings to drive traffic under brand familiarity.

Websites under construction

In the case of Lending Club, a well-known financial services provider, multiple websites were either under construction or established as a generic blog site with no malicious redirects. This suggests that websites targeting Lending Club were yet to be established and launched as a phishing campaign. Early indicators of the websites such as “Hello World” imply that the websites were recently created but currently remain dormant, and the evidence of it being involved in BEC (Business Email Compromise) scams remains undetermined. This indicates that a larger phishing or fraud campaign may still be in its staging phase, with threat actors reserving these domains in advance.

A similar case was seen with websites registered in the past three months targeting Payoneer and Monzo. Despite having different typosquat versions, most of the websites remain under construction, indicating a campaign yet to be launched.

In the financial services sector, even the slightest activity on a customer’s account typically triggers a notification – be it for security, transactions, or general account updates and this theme was leveraged by threat actors, likely to issue email alerts to generate a sense of urgency. Domains using formats like “[company]securityalert[.]TLD” are increasingly observed in Business Email Compromise (BEC) campaigns, targeting both consumers and employees,
depending on the email content. One such case involved the domain “payoneersecurityalert[.]com”, registered two months ago. The site hosted a fake login page, strongly suggesting an intent to harvest user credentials under the guise of a security notification.

Other prominent websites seen:

• payoneernotifications[.]com
• payoneersecurityalerts[.]com
• payoneersecurityalert[.]com
• payoneertransactionalerts[.]com

Temporary websites hosting phishing content

Free web hosting offering free services to temporarily deploy the websites are exploited maliciously by threat actors to save cost and preserve anonymity. In the case of MoneyLion, several such hosted pages were observed—mimicking the exact layout of official login portals. Interestingly, to avoid detection, the domain names did not include the brand’s name, making traditional keyword-based threat hunting ineffective. Discovery of such websites can be achieved by pivoting from page title and the content indicators.

When it comes to financial services, it is not just about direct monetary transactions, but many “associated services” come into the ecosystem such as mutual funds, stocks, brokers, investments, loans, etc. A notable example is the domain “moneylionloanus” where the website falsely claims to instantly transfer $5000 into the user’s bank account in exchange for providing the last 4 digits of their social security number (SSN), the series of numbers unique to an individual and is almost impossible to guess simply from publicly available information.

The keyword “visa” presents a dual identity and detecting it can become challenging. Due to its dual identity—as both the global payment provider, Visa, and a term associated with travel documentation, there are significant chances of false positives associated with the word, delaying effective mitigation as a result. This is an opportunity to play flexibly in financial and travel industry campaigns.

In our previous travel report, we have highlighted how travel related phishing campaigns surge dramatically around peak vacation seasons. “Visa”, a keyword ambiguous in nature, can create a confusion over whether a user has landed on a payment platform or a travel service, and can also be used to divert users to malicious sites by providing a lure of payment to travel promotion and vice versa. A similar case of brand ambiguity was observed with the term “Discovery”, which can refer to a financial services provider or a popular TV network.

In the card services industry, companies often offer gift cards, rewards points, and exclusive benefits through their platforms and membership programs. Travel enthusiasts prefer to have credit cards to enable lounge access, flight upgrades, or hotel perks in exchange for redeemed points.

Therefore, a significant overlap between American Express and travel websites is being exploited to harvest phishing related credentials, while providing travel related information/services, as highlighted below

Banking helpdesks and customer support is the most critical link to directly connect consumers with banks. Threat actors have increasingly exploited this trust by setting up fake banking helpdesks and impersonated customer service pages, designed to collect sensitive customer information. In some cases, the attempt was taken a step further, by providing a fake “FAQ” page where customers were asked to “verify” their bank account associated with the institution under the pretext of increasing the daily limit.

Threat actors have limitless possibilities in phishing attempts that give away direct credentials or initiate live access sessions. Zoho, a popular platform for enterprise management solutions, was also targeted to set up helpdesks, as seen with Skrill, a global digital wallet provider.

Another category associated with the financial industry is crypto exchanges and transactions, where frequent withdrawals and deposits across banks and wallets take place. While banking operates under regulated frameworks, crypto remains largely unregulated, yet individuals frequently conduct internal transactions between both ecosystems. This overlap creates an unique opportunity for cybercriminals to extend their phishing campaigns in these two zones. For example, a fraudulent Venmo-related platform offering crypto exchange service has now surfaced under familiar branding.

Such offerings can claim to be an extension of legitimate financial services, exploiting the trust and user base of well-known platforms. Such phishing pages are more profitable as they tend to steal sensitive data, financial data, wallet authentication, and live manipulation of funds if the crypto exchange itself is a facade.

Malware propagation through stealer logs

In a notable example below, our researchers identified a phishing kit hosted on a website that impersonated Venmo’s customer support desk, distributing a malicious executable hosted at “venmosupport[.]live/sc/new2[.]exe”

It is interesting to note that the same malware file is now being delivered from another domain, irrelevant to the banking industry. This highlights the reusability and adaptability of phishing kits and fake remote screen access support across industries.

This malicious executable has been flagged from different threat intelligence vendors as RATs (Remote Access Trojans), and references a remote screen connect software. This ties the campaign together as threat actors abusing Venmo’s support page to connect with customers remotely and steal credentials or stay persistently in the account while pretending to solve errors.

Similar phishing activity was observed targeting Monzo, where a plain phishing kit was seen, while not having any files hosted to investigate. As of now, the status of this campaign remains unknown, but the term ‘secure’ with Monzo subtly hints towards the user’s account security.

Domain generation algorithms are now a go-to technique used by threat actors focused on phishing, as it helps them to rapidly generate and register domains with a specific pattern. This enables continuous and sustained campaigns for as long as they can last. Related examples were prominently seen targeting Chime, with domain patterns in the format of “chimelogin-[xxxxx][.]icu”, where the five characters were randomized to rapidly generate new login pages. We observed at least 46 such domains registered in the last 3 months.

A malicious campaign promoting unauthorized prepaid card services through Telegram and Session was discovered, falsely claiming to offer instant-use cards with no verification codes. This can be appealing to users seeking anonymity online or avoiding in-store verified purchases. The process prompts users to select a card, make a payment, and immediately receive card details. This raises suspicious flags around resale of cards through stolen financial data.

Suspicious Visa cards, PayPal cards, and Tiktok coins were listed on this website. A tutorial video through YouTube was also shared on this website, which largely talks about loopholes in the payment industry that can get viewers some free rewards as a “hack” or “trick,”, mostly unethically. What makes this particularly alarming is the choice of communication channels: Telegram and Signal are frequently used by cybercriminals due to their encryption and anonymity, making them suspicious platforms for offering customer support.

Apart from this service, we observed domain names combining Visa—one of the major players in the payment industry, with other banking institutions. This enables a single domain to be expanded to other brand’s malicious campaigns. Domains impersonating Visa were combined with elements from Mastercard, J.P. Morgan, Chase, Santander, and others, suggesting that threat actors are creating hybrid brand abuse campaigns. Such domains keep rotating the themes targeting different brands across different times as many disparate elements are combined together.

Games, guides and ebooks describing or being promoted under a prominent name, such as PayPal in this case, can mislead users into thinking it’s affiliated with PayPal, should be considered brand impersonation. Another example suggests a blog post, with a domain name “virtual Mastercard,” to use a financial service relevance, but the actual content is gamblingfocused. Websites such as these are often associated with and are promoting investment or betting scams and use well-known names for the SEO ranking purposes. The financial industry is a more reliable target for cyber criminals as a broader audience can be targeted, in this case, users who are actively doing online transactions.

At the conclusion of the article, we shall see some of the notable examples of domain generation algorithms in the banking industry observed in the last 3 months.

Domain Generation Algorithm – Finserv Industry