Fraudulent Alerts

One of the ways to monitor and protect financial information and accounts is to sign up to receive free alerts offered by financial institutions. Alerts, delivered via email or text message, provide real-time updates to stay aware and informed about account activity, manage finances, and detect any inconsistencies or possible fraudulent activity early on. The types of alerts vary by institution, such as daily balance, payment due reminders, low or high balances, large purchases, large ATM withdrawals, debit card use, balance transfers, foreign transactions, unusual activity, and profile changes. Once enrolled, individuals receive alerts, which may require immediate review, response, and/or action. Cybercriminals create phishing campaigns imitating these alerts and often steal official branding to make fraudulent emails appear legitimate. These phishing emails may contain links or attachments that install malware or direct users to spoofed websites in order to steal credentials and sensitive information. The emails may attempt to convey a sense of urgency to users, resulting in panic and taking action without thinking. The NJCCIC observed several phishing emails purporting to be legitimate account activity and fraud alerts from multiple financial institutions. We provide examples of these phishing emails and recommendations to educate users on these continuing threats and tactics in order to reduce victimization of account compromise, further attacks, and identity theft.

This Bank of America phishing email contains an “Important Message” subject line and conveys a sense of urgency to take action and review the account to avoid suspension. It includes a “verify.htm” attachment or phishing URL that, if clicked, directs users to a spoofed Bank of America login page designed to harvest user credentials and sensitive information. The email also contains grammatical errors. 

This JPMorgan Chase Bank phishing email contains a “Chase Online Banking !” subject line with a sense of urgency that the account has been temporarily disabled for security reasons and will be suspended if the account is not accessed and confirmed. The email contains a phishing URL that, if clicked, directs users to a spoofed Chase login page to steal credentials. It also contains a link within the email to verify the authenticity of the message, creating a false sense of security. A similar Wells Fargo phishing email also provides an account suspension notification and requests the confirmation of the unusual activity by clicking on the phishing URL contained in the email to access the online account. 

This Citizens Bank phishing email is vague and contains an “Important Notification” subject line to convey a sense of urgency. The email contains a phishing URL that, if clicked, directs users to a spoofed Citizens Bank login page to harvest credentials. The red flags in this email are the grammatical errors and the phishing URL visually containing two slashes instead of one slash after “citizensbank.com.” 

This Bank of America phishing email contains an “Online Banking Alert” subject line and claims the account is on hold. The email creates a sense of urgency to verify the account in order to remove the hold, view statements, and pay bills. It includes an attachment and/or phishing URL that, if clicked, directs the user to log into the account to verify and update account information. 

This JPMorgan Chase Bank phishing email contains a “Chase Alert” subject line and claims to have locked the account after detecting suspicious activity. The email contains a “Proceed” phishing URL that, if clicked, directs the user to a spoofed website to enter credentials and complete the identity verification process to unlock the account. 

 

Recommendations

The NJCCIC recommends users practice good cyber hygiene to protect their financial information and accounts.

• Use unique, complex passwords for all accounts. Unique passwords for each account prevent password reuse attacks, in which threat actors obtain your password for one account and use it to compromise an additional account using the same credentials.
• Enable multi-factor authentication (MFA) where available. MFA is the use of two or more factors to authenticate to an account or service. This significantly reduces the risk of account compromise via credential theft in which your password has been exposed. Even if a cybercriminal obtains a user’s username and password, they will be unable to access that user’s account without their second factor. The NJCCIC encourages users to choose authentication apps, hardware tokens, or biometrics as a second factor over SMS-based authentication due to the risk of SIM-swapping, though using any form of MFA is beneficial. The website TwoFactorAuth.org maintains a comprehensive list of websites that offer MFA.
• Refrain from sharing login credentials or other sensitive information. Login credentials and other sensitive information should not be shared with anyone or saved on your computer or other platforms.
• Exercise caution with communications. Stay calm and think before reacting. Most businesses will not send alerts requesting sensitive information or downloading attachments. Confirm the legitimacy of the message or request via a separate means of communication—such as telephone—obtained directly from official websites, bills, or welcome emails.
• Navigate directly to websites. Navigate directly to authentic or official websites by typing the legitimate URL into the browser instead of clicking on links in messages, and refrain from entering login credentials on websites visited via links delivered in messages.
• Use secure websites. When sharing personal or financial information, ensure you are using verified, secure, and encrypted websites.
• Update passwords immediately following a data breach or potential compromise. Use a resource, such as haveibeenpwned.com, to determine if your information, such as an account password, has been revealed in a public data breach. Change exposed passwords for every account that uses it to protect against account compromise.
• Keep devices up to date. Stay informed about publicly-disclosed vulnerabilities and update devices—including firmware—to the latest version to ensure they are patched against known vulnerabilities that could be exploited by threat actors to gain unauthorized access to your device and/or data. If a device is unable to receive updates from the vendor, consider not purchasing or discontinuing use of the device.
• Secure physical devices. Safeguard devices and ensure a password/passcode is enabled for all devices to prevent unauthorized access in the event a device is lost or stolen.
• Review accounts and report suspicious activity. Review account transactions and activity and report any suspicious activity, identity theft, and/or fraud to your financial institution, local police department, and/or the Federal Trade Commission (FTC). You may also report cyber incidents to the NJCCIC via the Cyber Incident Report form.

Resources

• NJCCIC Cybersecurity Best Practices
• NJCCIC Compromised PII: Facilitating Malicious Targeting and Fraudulent Activity
• FTC IdentityTheft.gov