Fraudulent Bank Account Activity Continues

Summary

The NJCCIC observed multiple banking-themed phishing campaigns attempting to be delivered to New Jersey State employees to steal account credentials or personally identifiable information (PII). In one campaign, threat actors spoofed the display name for Customers Bank, which has multiple locations in the United States and New Jersey; however, the sender’s email address was unassociated to the bank. The subject lines may contain keywords such as notification, alert, action required, important verification, and important notification. The non-personalized email informs the target that a temporary hold has been placed on their account due to a failed identity verification. The target is then advised to click a link included in the email, which has been identified as phishing and malicious by VirusTotal.

If clicked, the target is directed to a Customers Bank phishing webpage which prompts the target to enter their username, password, date of birth, Social Security number, registered email address, and email password. The information is then sent to the threat actors in the background if entered. The phishing webpage uses Customers Bank branding to mimic the Customers Bank official webpage; however, the official webpage requests less information to unlock an account, including last name, date of birth, Social Security number, zip code, and locked login ID. Although the phishing webpage is no longer working, threat actors may create new phishing links and campaigns.

Additionally, we continue to receive reports of SMS text messages purporting to originate from financial institutions, such as PNC Bank. Messages may list the vendor, claiming that a transaction is on hold or inquiring if a specified financial transaction was attempted by the target. The message also includes a phone number to call to approve or decline the transaction.

The NJCCIC assesses with high confidence that threat actors will continue to use social engineering tactics to gain unauthorized access to financial bank accounts and commit further malicious activity. The above examples, combined with the prevalence of data exposed via breaches and information publicly available online, highlight the importance of staying vigilant to help prevent successful social engineering attempts, account compromises, identity theft, and fraudulent activity, including opening accounts and taking out loans in the victim’s name without their knowledge.

Recommendations

The NJCCIC recommends users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization. Users are advised to refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders, and exercise caution with communications from known senders. If unsure of the legitimacy, contact the sender via a separate means of communication, such as by phone, before taking any action. Additionally, visit websites directly by manually typing the legitimate URL into a browser and refrain from navigating to online accounts via links delivered in emails and SMS text messages. If victimized, please report to your financial institution, change the password used for the compromised account and any other accounts using the same password, and log out of any unrecognized devices. Additional recommendations and resources can be found in the Identity Theft and Compromised PII NJCCIC Product, including credit freezes and enabling multi-factor authentication (MFA) on accounts. Phishing emails and other malicious cyber activity can be reported to the NJCCIC and the FBI Internet Crime Complaint Center (IC3).