Banking trojans have been around for years. If your computer is infected, the trojan waits until you visit your online banking website. When you do, it redirects you to a malicious website that looks like your bank’s site. If you enter your banking credentials, they will fall into a cybercriminal’s hands.

In the past, you could usually spot a fake banking site by looking at its URL. The fake site would not have the same URL as your real bank’s web address. Plus, the fake site’s URL would start with “http” rather than “https”. The missing “s” means that the site does not have a Secure Sockets Layer (SSL) certificate. All legitimate banking sites use SSL to secure their Internet connections.

Looking for these clues may no longer work, though. In July 2017, cybercriminals started using a Trickbot trojan variant that sends recipients to a fake banking site that looks exactly like the real deal. The fake site even displays the real bank’s URL and SSL certificate.

How Trickbot Might Get on Your Computer

Phishing emails are being used to infect computers with Trickbot. According to the Flashpoint researchers tracking Trickbot, cybercriminals are using a spamming botnet to send out a massive number of these emails in 17 countries, including the United States, United Kingdom, and Canada.

The phishing emails try to get the recipients to open an email attachment. The type of attachment and the pretense used to trick people into opening it varies. For instance, in one campaign, the emails were supposedly from the UK-based Lloyds Bank. Recipients were told to review and sign an attached Microsoft Excel file. To sign it, they had to enable the embedded macro, which initiated a process that loaded Trickbot onto their computers.

How to Avoid Becoming a Victim

Although it might be nearly impossible to distinguish between a real banking website and a doppelganger created by the Trickbot trojan, you can avoid becoming a victim of this scam. All you need is a healthy dose of skepticism and a little knowledge on how to spot phishing emails. An email might be a phishing attack if it contains one or more of these elements:

  • A generic greeting. When cybercriminals send out phishing emails, they send them out to the masses. As a result, they often start the emails with a generic greeting, a simple “Hello”, or no greeting at all.
  • An attachment. Legitimate financial institutions typically do not email files out of the blue. So, unless you specifically requested a document from an organization, be wary of any email attachments. Be especially wary of attached Microsoft Word and Excel files in which you are supposed to enable a macro.
  • A spoofed email address. Phishing emails often include a spoofed email address or name in the “From” field.
  • A sense of urgency. A common tactic to get you to fall for a phishing scam is to create a sense of urgency. Cybercriminals first let you know about a problem that requires your attention. Then, they let you know that there will be unfortunate consequences if you do not take action quickly.
  • A request to update or verify information. To get you to open an attached file or click a link, some phishing emails ask you to update or verify information.
  • A deceptive URL. Phishing emails sometimes include deceptive URLs. A deceptive URL is one in which the actual URL does not match the displayed web address or linked text. For example, the displayed text might specify a legitimate bank name (“U.S. Bank”) or bank web address (“https://www.usbank.com”), but when you hover your mouse cursor over it (without clicking it), you might discover that the actual URL leads to a website in Russia. These deceptive links can lead to fake websites.
  • Misspellings or grammatical errors. Many phishing emails come from cybercriminals in foreign countries, so they might contain misspellings and grammatical errors. Plus, intentional misspellings can sometimes help get emails past spam filters.