Authorization gap in banking: are your controls keeping up?

TL;DR: A phishing campaign targeting RBC Direct Investing clients used a fake W-8BEN renewal flow to harvest credentials and tax data, then relied on the fact that authentication still leaves post-login authority largely unchecked, according to EnforceAuth. The hard problem is not entry, but continuous authorisation after the login event has already succeeded.

NHIMG editorial — based on content published by EnforceAuth: the RBC Direct Investing phishing campaign and the authorization gap in financial services

By the numbers:

• 22% of breaches start with stolen credentials.
• 246 days mean time to identify + contain credential breaches.

Questions worth separating out

Q: What breaks when authentication is treated as the main security control after a phishing event?

A: Authentication breaks as a security boundary because it only proves that a credential was accepted, not that the resulting actions are legitimate.

Q: Why do stolen credentials create such a large risk in financial services?

A: Stolen credentials are dangerous in financial services because one login often reaches multiple applications, data sets, and delegated workflows.

Q: How do security teams know whether continuous authorisation is actually working?

A: Teams know it is working when sensitive actions are blocked or stepped up based on context, not just login state.

Practitioner guidance

• Map post-login trust chains Identify every application, data store, service account, and automation path that inherits trust from a human session.
• Enforce runtime authorisation at decision points Place policy checks at API gateways, data access layers, and workflow boundaries so the same credential is re-evaluated for each sensitive action.
• Separate human compromise from downstream NHI access Review where human identities can trigger service account actions, token use, or automated jobs.

What's in the full article

EnforceAuth's full analysis covers the operational detail this post intentionally leaves for the source:

• Policy-as-code examples for continuous authorisation across applications, infrastructure, data, and AI workloads
• The phased implementation model for placing decision points at API gateways, data layers, and AI orchestrators
• The full regulatory mapping across DORA, SOX, GDPR, PCI-DSS, and EU AI Act obligations
• Architecture details for the policy engine, unified decision logging, and low-latency enforcement

👉 Read EnforceAuth's analysis of the RBC Direct Investing phishing campaign and authorization gap →

Authorization gap in banking: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →