Multiple Phishing Campaigns Impersonate Financial Institutions

Summary

The NJCCIC has observed multiple phishing campaigns consistent with open source reporting in which cyber-criminals impersonate popular financial institutions, such as Wells Fargo and Bank of America, and target customers to steal account credentials and information. For example, one campaign claims to be a security alert from Wells Fargo and contains an ICS calendar attachment titled "update your security keys.ics" that, if clicked, directs the user to a SharePoint page and then a spoofed banking website that prompts for account credentials, PIN email address and password, and account number. If entered, they will be sent to the threat actors in the background. Other phishing examples include emails containing HTML attachments that direct to a spoofed Google Docs webpage to download wire transfer confirmation information, requests to click on links to update email addresses, offers of $1,000 bonuses to click on links to provide comments or feedback, personal information needed to complete a pending wire transfer payment, and confirmation of beneficiary information for outstanding funds.

Recommendations

The NJCCIC recommends users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization. Users are advised to exercise caution with links, attachments, and spoofed domains received from unknown contacts; navigate directly to authentic vendor websites; and keep applications up to date. If you are unsure of an email’s legitimacy, contact the sender via a separate means of communication. We advise users to review the NJCCIC product  Don’t Take the Bait! Phishing and Other Social Engineering Attacks and Cybersecurity Best Practices webpage for more information on how to keep accounts and data safe.