As financial institutions (FIs) everywhere turn to the digital channel to address the particular stresses resulting from the COVID-19 pandemic, cybercriminals are also adapting their strategies, creating novel approaches to their craft. As account holders overwhelmingly choose to meet their banking needs digitally, it’s critical for FIs to inform them of emerging attack strategies.

API Permission Request Attacks represent a particularly relevant form of phishing to be aware of now, increasingly being analyzed by IT security watchers security like KnowBe4 and others.

Anatomy of an API Permission Request Attacks

API Permission Request Attacks are a more insidious form of phishing (using fraudulent emails to gather personal information) in that they can be more challenging to identify than traditional counterparts. This is in large part due to the perceived legitimacy of the attack. Instead of leading victims to the kind of fraudulent sites that many account holders have become accustomed to spotting and avoiding, fraudsters instead ask unsuspecting account holders to grant them permission to access trusted systems where their data is stored—such as using Microsoft and Google forms—to perpetrate their attacks. The attack is only successful if the account holder grants access to the fraudster, emphasizing the importance of keeping FI members and customers aware of the types of attacks to watch for.

Additional resources for responding to digital fraud

The threat landscape is constantly evolving, but FIs can take meaningful steps to educate their account holders and strengthen their security infrastructure and strategies.


Written by Q2