Throughout the summer of 2021, the number of phishing URLs designed to impersonate Chase jumped 300%, according to security firm Cyren.
Phishing attacks work by impersonating a known company, brand, product or service. The goal is to trick users or customers of the product into providing their account credentials and other sensitive information in response to the initial spoofed email or message.
SEE: Social Engineering: Checklist for Professionals (Free PDF) (TechRepublic)
Chase Bank is one of the most exposed brands among phishing campaigns as cybercriminals increasingly target people who use the company’s financial services. A report released on Tuesday by cybersecurity provider Cyren examines the latest phishing attempts to exploit Chase and offers tips for users to avoid these types of scams.
A U.S. subsidiary of JP Morgan Chase, Chase Bank is now ranked the sixth most spoofed brands in phishing URLs, according to Cyren. Among financial companies, Chase is nested in third place, slightly behind PayPal. But lately there has been an increase in phishing activity targeting Chase Bank customers.
Looking at the period from mid-May to mid-August, Cyren researchers found a 300% jump in phishing URLs spoofing the Chase brand. Behind all these malicious URLs are phishing kits, which cybercriminals buy, sell, and use to build their campaigns. Of all the phishing kits reviewed in the past six months, Chase was the second most targeted brand, closely following Microsoft 365 in number one.
Many phishing kits Cyren analyzed since May are designed to steal more than just an email address and password. These kits attempt to capture bank and credit card information, social security numbers, home addresses, and other sensitive information. Some kits even attempt to siphon off one-time codes used for two-factor authentication. To target Chase Bank customers via email or text, attackers use a popular phishing kit known as Chase XBALTI.
In a campaign to spoof the Brazilian Chase website, the recipient is asked to enter their Chase account credentials in order to update their bank accounts online. After confirming the username and password, the person is notified that their credentials are incorrect and asked to enter them again. This tactic is to ensure that the user has not entered the wrong information.
After passing this stage, the person is asked to update their personal information, including their social security number, mother’s middle name and date of birth. On the next screen, the user is prompted to submit their credit card details and then add information for another credit or debit card.
SEE: How to Manage Passwords: Best Practices and Security Tips (Free PDF) (TechRepublic)
Then the person is asked to confirm their home address, after which they are redirected to the final verification page. After pressing the My Account button, the hapless victim is redirected to Chase’s current website.
At this point, the criminals have enough information to sell the account details on the Dark Web for use in further attacks, account takeovers, and identity fraud. In fact, every sensitive data captured is sent to the attacker’s email address configured in the phishing kit.
While large banks and financial firms have safeguards in place to combat phishing exploits, small businesses may not have the tools or technologies to do so. To help you better detect and prevent phishing attacks, Cyren offers the following tips:
- Avoid clicking on links or dialing a phone number in an email or text message. Instead, contact the company using the information on their website or through their official mobile app. Chase customers can also report phishing emails to Chase Bank.
- If you’re unsure of the legitimacy of a particular email or text message, have someone else review it. Many organizations also have measures in place that allow you to report a suspicious email. Mobile phone carriers have steps for submitting suspected phishing messages. You can also submit potential phishing URLs through sites such as Cyren Website URL Category Checker, VirusTotal, and PhishTank.
- Slow down when checking an email or text. You can detect and prevent many phishing attacks by examining the message for misspellings and other inconsistencies. Look at the copyright date in the footer, make sure the URL shown is correct, and trust your own instincts.