Use of .bank Domain on the Rise to Counter Phishing

Banks make up nearly a third of the top 25 brands impersonated by phishing websites, according to the cybersecurity company Vade.

And with these types of cyberattacks getting far more common and more sophisticated, one countermeasure that banks increasingly are adopting is the .bank domain.

“Unlike a .com, a .bank cannot be faked,” says Drew Schiff, senior director of engagement for fTLD Registry Services, which oversees use of this domain name and ensures only banks are able to deploy it.

“We prefer it to be a preventative measure, but many are now adopting it after the fact,” Schiff says. “Cyberattacks have risen since the pandemic.”

Increase in Phishing Attacks Propels .bank

In the cat-and-mouse game of cybersecurity, criminals are continuously mimicking banks with lookalike websites and emails to trick consumers into giving away their login information.

No financial institution is immune to this type of attack, and the biggest banks are frequent victims. For example, in June 2020, tens of thousands of Wells Fargo customers were sent fake calendar invites that appeared to be coming from the bank’s security team. And in January 2021, a team of malware hunters discovered a Citibank phishing site that was so well done it even asked users to input a one-time password, or OTP code, delivered via text.

The Internet Corporation for Assigned Names and Numbers, the nonprofit that is responsible for the domain name system, gave fTLD authority over the .bank domain in 2015. An initial push for adoption generated lukewarm enthusiasm from banks, in part because of a lack of understanding about the benefits. Although more than 2,200 have registered for .bank domains, so far just 745 banks actively use one.

But that number is on the rise, as the phishing problem proliferates. There were more than 255 million phishing attacks detected across all industries in 2022, a 61% increase over 2021, according to the annual “State of Phishing” report from the cybersecurity firm SlashNext. The finance and insurance industries were among the top five sectors targeted by so-called “zero-hour” threats, which is a threat that hasn’t been seen before.

As the SlashNext report says, cybersecurity is no longer like whack-a-mole. “Today the appropriate metaphor is the ‘Matrix’ fight scene where Neo fights 195 Smiths at once, and the potential for Smith to morph and multiply is endless.”

Schiff says fTLD has seen a spike in interest and consultations in the past six months, because of this growing challenge. “Until they were directly impacted, many banks weren’t moving forward with it,” he says. “This environment led people to move quicker than they had planned.”

Read More:

How Does the .bank Domain Help?

It used to be that phishing emails and fake web pages had typos and other red flags that helped consumers recognize them as a scam. Now, cybercriminals have become so sophisticated that some consumers never realize they’re not interacting with their actual bank. The attack is discovered only after the criminal has already accessed the person’s account and committed fraud.

Most phishing attacks rely on lookalike domains, Schiff says. “So if you take that arrow out of the quiver, they’re left with a much smaller set of tools.”

Banks tend to be more adept at guarding against other types of cyberattacks than they are at keeping individuals from falling prey to phishing, he adds. “The hardest stuff is direct-to-consumer attacks.”

More Threats Require More Nets:

Phishing attacks rose by 61% in 2022, and financial services companies comprised a third of the top 25 most spoofed brands.

But the .bank domain gives customers a quick way to tell whether a website or email is legitimate. It will be absent from the dangerous websites and emails that lead to breaches, ransomware, identity theft and fraud.

The American Bankers Association is an “advocate” for the domain, says Paul Benda, the trade group’s senior vice president of operational risk and cybersecurity. “We think it is a great tool for banks to brand themselves and strengthen their cybersecurity measures,” he says.

Benda agrees with Schiff’s assessment that the momentum behind adoption of .bank is picking up. And like Schiff, he cites the rise in phishing attacks and growing awareness of the benefits of using this domain as the motivators.

A Domain Exclusively for Banks Deters Cyberattacks

EH National Bank, which does business under the name Excel Bank, adopted the .bank domain in 2021 after experiencing a rise in phishing attacks.

Excel also uses a third-party vendor to actively seek and shut down phishing sites as they arise.

But since Excel switched from a .com to a .bank domain, phishing attempts have decreased significantly, says Matthew Terry, director of marketing and brand for the $334 million-asset bank in Beverley Hills, Calif.

“It doesn’t cut back on phishing 100%, but it really helps enhance our security for end users because the .bank site cannot be spoofed,” he says.

As criminals typically seek the path of least resistance, acquiring and directing consumers to a .bank domain is an easy way to thwart many attacks, Schiff says.

While anyone can buy a .com domain for less than $20, only retail banks, savings associations, or government regulatory boards approved by the fTLD are eligible to acquire a .bank domain or email address, he says.

Applicants have to meet several security requirements to be approved. For example, banks must implement Domain Name System security extensions and obtain a digital identity certificate. They also must have Transport Layer Security v1.2 or greater in place for encryption and create DMARC and SPF records for email authentication.

Though this might sound complicated, the process is simple enough that securing the .bank domain can be completed in less than two months for as little as $500, Schiff says. The domain can be ready to launch with customers just a few weeks later.

Setting up a 301 redirect will automatically bring traffic from the original .com site to the new .bank one.

Schiff says fTLD walks through the technology with each bank to ensure a seamless transition.

Customer Communication Is Key With .bank Switch

The bigger task after adopting the new domain is teaching customers to recognize it as a sign of safety. Without awareness, customers who knew the bank’s .com domain may be deterred by a .bank domain they have not used before.

And, because criminals can still spoof old .com pages, customers must be educated to trust only the .bank domain.

Excel Bank found that communication and education are the “underwater part of the iceberg” when it comes to adopting a .bank domain, Terry says. Since making the switch, Excel has continuously engaged customers via the website, email, and other means to spread the word.

“We knew many customers might scratch their heads over this, which is why we did as much as we did in terms of communication,” Terry says.

Given that banks have struggled with the transition in the past, fTLD now provides templates for websites, banners, and emails to customers to explain the reason for the transition to the .bank domain and to let customers know what they should expect, says Schiff.

“Part of that is to train customers before they ever download a link or give up any information to ensure they see .bank,” he says.

Explainer: What Is fTLD?

The .bank domain is operated by fTLD Registry Services, a coalition of banks, insurance companies, and financial services trade associations from around the world, including the Independent Community Bankers of America and the American Bankers Association. ABA developed the domain’s security requirements.

A TLD is a top-level domain; familiar examples are .com, .org. and .gov. The .bank domain is a financial top-level domain, the origin of fTLD’s name.

The Internet Corporation for Assigned Names and Numbers, or ICANN, is a public-private partnership responsible for Internet protocols and domain names. It designates organizations to manage each TLD.

Dig Deeper: Fighting Fraud has Become a CX Differentiator