Bank Impersonation Scams

Summary

Threat actors continue to research their targets, impersonate trusted entities, and initiate communications through email, phone calls, and SMS text messaging to convince them to take action, such as divulging information or transferring funds. In bank impersonation scams, threat actors seek personal information, account numbers, passwords, and PINs. If threat actors gain access to bank accounts, they can update personal and financial information. Additionally, they can set up fictitious travel notices or memos  to spend money outside the normal spending location and evade detection. Furthermore, threat actors will test accounts to see if they are being monitored. If threat actors perform a fraudulent transaction and the activity is not detected, they will perform additional transactions. Despite banks using Early Warning services to help fight bank fraud, bank impersonation scams are increasing. The Federal Trade Commission (FTC) revealed that bank impersonation was the top reported text message scam in 2022, and reports of this scam increased nearly twentyfold since 2019. The most popular choices of major banks used in impersonation scams included Bank of America, Wells Fargo, Chase, and Citibank.

The NJCCIC observed multiple emails sent to New Jersey State employees attempting to lure potential victims with urgent bank account notifications to capture login credentials. In the example above, the email conveys a sense of legitimacy by using stolen Bank of America branding. However, upon further inspection, the display name is spoofed with “Bank of America Alert,” while the sender’s email address of iolevron5886[@]live[.]com is from a Microsoft Live.com account and not from a Bank of America domain. The purported account verification notification warns of temporarily limited account access due to unauthorized login attempts or billing failures.

To regain account access, threat actors convince the target to click one of the highlighted links that, if clicked, directs users to a credential phishing website, hxxp://bank0famericaverifyandvalidatey0urinf0rmati0nsecurely0nlinej[.]wordpress[.]com. This malicious link is part of the WordPress domain, contains a Bank of America reference, and utilizes zeros in place of the letter “o.” Credentials entered on this page are sent to the threat actors in the background. 

Threat actors may also target victims in vishing campaigns by posing as bank employees, verifying personal and financial information, and claiming fraudulent activity has occurred on the account. In a recent vishing campaign, threat actors posed as a Wells Fargo Bank representative to verify that the target had opened a bank account and deposited a $1,000 check. When denied by the target, the threat actors further claimed that two pending Zelle payments were using this fraudulent account, and they could not stop the transactions. They advised the target to contact Zelle directly and provided a contact number, which was not verified by the target. The target spoke to the purported Zelle representative, who advised them that they could not cancel the transactions unless the target created a Zelle account. Once suspicions grew, the target contacted the real Wells Fargo fraud department through trusted sources. They were advised that this was indeed a scam since there was no record of a new account or pending transactions.

Image Source: WJLA-TV/Renee Roberson

Another bank impersonation scam involved threat actors making small, intentionally suspicious charges on stolen credit or debit card numbers, triggering a legitimate SMS text message from the target’s bank. To appear more legitimate, the threat actors immediately called the target, impersonating Bank of America and spoofing their phone number. They guided the target through steps to supposedly reverse the charges through their Zelle account. The threat actors convinced the target to perform tasks, such as opening the mobile banking app, creating a new contact, and naming the contact. The target was given a supposed claim number for the charge reversal, and they received a Zelle confirmation text message. However, the purported account number entered was actually a phone number, resulting in additional funds unintentionally being transferred to the threat actors.

Recommendations

The NJCCIC recommends users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization. It is highly advised that users refrain from responding to unsolicited communications, clicking links, and opening attachments from unknown senders and exercise caution with communications from known senders. If you are unsure of the legitimacy, contact the sender via a separate means of communication – such as by telephone – obtained from trusted sources before taking any action. If correspondence contains requests for account changes or is otherwise suspicious, contact the bank directly before providing sensitive information or funds. Additionally, check accounts regularly, ensure multi-factor authentication (MFA) is enabled on accounts, and treat Zelle like cash payments, sending money to only people you know and trust. Report suspicious activity to the respective bank immediately and the FTC, FBI’s IC3, and the NJCCIC to limit proliferation.