Wells Fargo customers targeted with phishing attacks using calendar invites
Employees of large corporations are being targeted with phishing emails that impersonate the Wells Fargo security team and use innocent-looking calendar invitations as clickbait.
The fraudsters try to get message recipients to click on the invitations, which take them to a malicious website that resembles the Wells Fargo site, according to Abnormal Security, a cybersecurity research firm that says it discovered the attack.
At that site, victims are asked for sensitive information like the username, login, card PIN or number for their personal accounts held at Wells. As of Friday the campaign had targeted about 15,000 to 20,000 people, Abnormal Security said in a June 18 blog post. It’s unclear how many have been duped by the scam.
Wells Fargo declined an interview request but offered this statement acknowledging the situation: “The security of our customers’ accounts and information is our priority at Wells Fargo, and we are aware of this campaign. We encourage our customers who receive suspicious emails to not respond, click on any links or open any attachments in any format.” The company also has set up a webpage with information and resources on phishing.
Cybercriminals have been upping their game during the coronavirus pandemic, taking advantage of the disruption of normal activity to siphon off unemployment benefits, execute fraudulent wire transfers, get people to download fake bank mobile apps and more.
According to the cybersecurity firm Mimecast’s 100 Days of Coronavirus Report, the use of impersonation emails rose 30.3% from January through mid-April.
Financial services firms have been among the hardest hit, said Trace Fooshee, senior analyst at Aite Group.
“Banks have reported increases in phishing attacks that are specifically engineered to exploit the many thousands of consumers who have migrated to digital banking in the wake of the pandemic,” Fooshee said. “These consumers are particularly vulnerable to these kinds of attacks as they are often completely unaware of these kinds of attacks and are more likely to fall for deceptions that are cleverly disguised.”
How it works
The use of calendar invitations is a new wrinkle. The attack began on June 18 and happens within Microsoft Office 365, according to the Abnormal Security blog post.
Emails arrive in inboxes at various large companies that appear to be from a Wells Fargo Security Team member who tells recipients they’ve been sent a new security key to protect their personal accounts. The message urges the recipients to open the attached calendar item, an .ics file, and follow the instructions, or risk having their accounts suspended, according to Abnormal Security’s blog.
Contained within the event description is a link to a Sharepoint page that directs recipients to click on another link to secure their accounts. This link leads to a fake phishing page for Wells Fargo, where they are prompted to enter sensitive account-related information.
According to Abnormal Security researchers, the attack is often successful because it creates a sense of urgency. The email says recipients must update their security keys as soon as possible.
Growing use of fake bank websites
Generally speaking, the use of simulated bank websites to trick people into coughing up their online banking credentials and other sensitive information has become a common practice among cybercriminals, according to Matthew Gardiner, principal security strategist at Mimecast.
Gardiner said thousands of fake bank websites are created every day. Big global brands like Wells Fargo, JPMorgan Chase and Bank of America are constant targets. The sites often remain live for just four to eight hours, he said.
“It's tricky because anyone can register a domain, clone a website and throw it up on some hosting service, and then it's up to the brand owner to find it and pull some strings to get it taken down,” Gardiner said.
Smaller banks are also becoming targets, he said.
“The bigger banks have bigger teams, more sophisticated security systems and people, so it's harder to accomplish what you're after against them,” Gardiner said. “Not that people don't constantly try, but the next tier down don't have the technology resources, so they’re more vulnerable. There’s still plenty of money that can be made from them, but their defenses are not as mature.”
The hackers in this attack are trying to get as much information as they can, Gardiner said. But they don’t plan to use the information themselves to steal money; instead they sell it on the black market.
They have to strike a delicate balance.
“They don't want to ask for too much and lose you, but they want to ask for as much as they think they can get,” Gardiner said.
What banks can do about phishing attacks
Gardiner pointed out that banking companies like Wells Fargo protect their brands aggressively. Wells, for instance, uses Domain-based Message Authentication, Reporting and Conformance (DMARC) to protect its email domain. This is an authentication protocol used to analyze email addresses and make sure they really came from the site they purport to come from.
Companies are also diligent about finding and taking down fake websites using their brands. They also are constantly searching for brand exploitation of their websites. When they find a fake bank site, they try to get it taken down immediately.
“The big brands all do it,” said Gardiner, whose company assists in such efforts. “It just takes a little time.”
He recommends security awareness training for customers and employees.
“You're never going to get to 100%, and attackers are so targeted and sophisticated in many cases that they can simulate the real thing so closely that if it hits you at the right time and it's from a brand you do business with anyway and trust, anyone could fall for it,” he said.
Correction: An earlier version of this story said that cybercriminals posing as Wells Fargo security officials sent phishing emails to Wells Fargo employees in an attempt to steal their account information. In fact, the phishing emails targeted Wells customers more broadly. American Banker regrets the error.