TL;DR: A phishing campaign targeting RBC Direct Investing clients used a fake W-8BEN renewal flow to harvest credentials and tax data, then relied on the fact that authentication still leaves post-login authority largely unchecked, according to EnforceAuth. The hard problem is not entry, but continuous authorisation after the login event has already succeeded.
NHIMG editorial — based on content published by EnforceAuth: the RBC Direct Investing phishing campaign and the authorization gap in financial services
By the numbers:
- 22% of breaches start with stolen credentials.
- 246 days mean time to identify + contain credential breaches.
Questions worth separating out
Q: What breaks when authentication is treated as the main security control after a phishing event?
A: Authentication breaks as a security boundary because it only proves that a credential was accepted, not that the resulting actions are legitimate.
Q: Why do stolen credentials create such a large risk in financial services?
A: Stolen credentials are dangerous in financial services because one login often reaches multiple applications, data sets, and delegated workflows.
Q: How do security teams know whether continuous authorisation is actually working?
A: Teams know it is working when sensitive actions are blocked or stepped up based on context, not just login state.
Practitioner guidance
- Map post-login trust chains Identify every application, data store, service account, and automation path that inherits trust from a human session.
- Enforce runtime authorisation at decision points Place policy checks at API gateways, data access layers, and workflow boundaries so the same credential is re-evaluated for each sensitive action.
- Separate human compromise from downstream NHI access Review where human identities can trigger service account actions, token use, or automated jobs.
What's in the full article
EnforceAuth's full analysis covers the operational detail this post intentionally leaves for the source:
- Policy-as-code examples for continuous authorisation across applications, infrastructure, data, and AI workloads
- The phased implementation model for placing decision points at API gateways, data layers, and AI orchestrators
- The full regulatory mapping across DORA, SOX, GDPR, PCI-DSS, and EU AI Act obligations
- Architecture details for the policy engine, unified decision logging, and low-latency enforcement
👉 Read EnforceAuth's analysis of the RBC Direct Investing phishing campaign and authorization gap →
Authorization gap in banking: are your controls keeping up?
Explore further
Authentication is no longer the security boundary in financial services. This campaign shows that a valid login can be the start of compromise, not the end of it. The programme weakness is not simply phishing susceptibility, but the assumption that identity can be trusted after entry without re-evaluating what it is doing. Practitioners should treat continuous authorisation as the real control boundary.
A few things that frame the scale:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
A question worth separating out:
Q: Who is accountable when a phished identity is used to access downstream systems?
A: Accountability sits with the teams that own the identity, the application boundary, and the downstream trust chain. In practice, IAM, application, and security owners must all share responsibility for what a compromised session can reach. For regulated environments, the issue also maps to audit evidence, because access controls must be demonstrable after authentication, not just at login.
👉 Read our full editorial: Authorization gaps in financial services are the real post-phish risk