January 2021 Phishing Simulation

If you were redirected to this page, you fell for our phishing simulation. Don't worry, this was just a test – no passwords were captured, and your E*TRADE Liberty account is not in danger

Phishing attacks continue to be extremely widespread and one of the most effective ways for a hacker to gain access to you and your company. SEM will periodically conduct phishing simulations to make sure that we and our business partners are aware of and up-to-date on the techniques used by cyber criminals. When it comes to security, your success is our success and vice versa.

This phishing simulation was designed to emulate an attack where a hacker sends out a targeted phishing campaign to customers of E*TRADE Advisor Services. As we review the "red flags" in this simulated attack, keep in mind that SEM has several resources to help keep you informed about cybersecurity:

Let’s review the specific “red flags” in this simulated attack:

Email:

Let's start by looking at the phishing email you received:

Screenshot of full email

Email Address

When you send an email, it will often contain a Display Name. Most of the time, your email client (e.g. Outlook) will set your display name for you - usually it'll be your name, e.g. “John Smith”. However, if you know what you're doing, you can also set the Display Name to whatever you want. This phishing email set the display name to E*TRADE Advisor Services, even though the email did not come from E*TRADE.

As you can see, there is more information to the right of the Display Name - this is the actual email address that the email came from: [email protected]. This is not a legitimate E*TRADE address. Advisor communication emails come from [email protected], which looks almost exactly the same except that one of the dots was replaced with a hyphen. We registered the similar-looking domain name (with the hyphen) and configured the phishing email server to use it - which is exactly what a real phishing campaign might do.

Display Name
Actual Email Address
Legitimate E*TRADE Email

Link URL

If you hover over the SUMMARY OF CHANGES button, you will see a preview of the link URL. This is not the URL for the RIA Connection site or the Liberty website, though it does look somewhat similar to the real Liberty website URL (https://app.trustamerica.com/liberty). Just like the domain in the phishing email, we registered a similar-looking domain to host the fake Liberty website, which is something that a real phishing attack might do.

Everything else aside, you should always avoid clicking links in emails if possible - go directly to the website instead. In this case, you would go to the E*TRADE Liberty or RIA Connection websites and look for any mention of "changes to policies and procedures".

Link URL:

Email Content

Some "red flags" in the email body:

  • Unusual content - Compare the phishing email to other emails that you receive from E*TRADE - like the RIA Connection emails. Legitimate RIA Connection emails have the E*TRADE logo, a banner, a disclaimer, and an unsubscribe link. The phishing email has none of those.
  • Manipulative wording - Phishing attacks will often appeal to your emotions. Sometimes that involves a sense of urgency (e.g. "your account has been suspended until you click here"), and other times it may involve current events.

Taken by themselves, the "red flags" in the email body don't guarantee that this is a phishing email - for example, it is totally possible that E*TRADE would change certain policies or procedures because of Coronavirus. These "red flags" are cause for concern and should raise some alarms, but should be considered as one of many factors. Combine these with the email address/display name and link URL issues above and you can be pretty confident it's a phishing email.

Remember, you can always ask a coworker or contact the sender and ask if the email is legitimate. If you do contact the sender, don't reply directly to the phishy email. In a situation like this, where you're dealing with a mass communication from E*TRADE, SEM will also have a good idea about its legitimacy.

Phishing Email:
Legitimate RIA Connection Email:

Landing Page

It is possible that you could be compromised even if you just click the link in a phishing email. However, it is still advantageous to know how to identify a phishing web page because some phishing attacks (like this simulated phishing attack) are only successful if you input your login credentials on a web page. Let's look at some "red flags" on the phishing web page:

Screenshot of full landing page

Wrong website

Typically, E*TRADE posts information about updated policies and procedures on the RIA connection website - you would not have to log in to Liberty to find such information. It certainly is possible that E*TRADE could post this information in Liberty, so this "red flag" is not a guarantee - but it is certainly cause for concern.

Note that the RIA Connection website does not require you to log in: https://riaconnection.trustamerica.com

RIA Connection Website:

URL

Look closely at the URL. Everthing before the / is called the domain name. You'll notice that this domain name is not the same as the real Liberty website. It also looks pretty phishy on its own.

Also notice the lock icon. This does not mean that the website is safe! It just means that the connection to the website is encrypted. This post might be helpful: What does the padlock in your address bar really mean?

Phishing page domain:

Password manager

If you have a password manager, you should have noticed that it did not autofill or have any suggestions for you on this page. If your password manager does not suggest login credentials on a web page where it normally does, this should be cause concern - it's very likely that you're not on the legitimate website.

If you don't have a password manager, this is one of many reasons that they are a good idea!

LastPass had no suggestions: