Throughout the summer of 2021, the number of phishing URLs designed to impersonate Chase jumped by 300%, says security firm Cyren.
Phishing attacks work by impersonating a known company, brand, product or service. The goal is to trick users or customers of the product to provide their account credentials and other sensitive information in response to the initial spoofed email or message.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
One brand that’s been getting a lot of exposure among phishing campaigns is Chase Bank as cybercriminals are increasingly targeting people who use the company’s financial services. A report released Tuesday by cybersecurity provider Cyren looks at the latest phishing attempts to exploit Chase and offers tips for users on avoiding these types of scams.
The American subsidiary of JP Morgan Chase, Chase Bank is now ranked as the sixth most spoofed brand seen in phishing URLs, according to Cyren. Among financial companies, Chase is nestled in third place, slightly behind PayPal. But lately there’s been a surge in phishing activity targeting Chase Bank customers.
Looking at the period from the middle of May to mid-August, Cyren researchers discovered a 300% jump in phishing URLs spoofing the Chase brand. Behind all these malicious URLs are phishing kits, which cybercriminals buy, sell and use to create their campaigns. Among all the phishing kits examined over the past six months, Chase was the second most targeted brand, closely following Microsoft 365 in the top spot.
Many of the phishing kits analyzed by Cyren since May are built to steal more than just an email address and password. Such kits try to capture banking and credit card information, social security numbers, home addresses and other sensitive information. Some kits even attempt to siphon up one-time use codes used for two-factor authentication. To target Chase Bank customers by email or text message, attackers have been using a popular phishing kit known as Chase XBALTI.
In one campaign spoofing Chase’s Brazilian website, the recipient is asked recipients to enter their Chase account credentials in order to update their online banking accounts. After confirming the username and password, the person is told that their credentials are incorrect and is asked to enter them again. This tactic is to ensure that the user didn’t enter the wrong information.
After getting past this point, the person is told to update their personal information, including social security number, mother’s middle name, and date of birth. At the next screen, the user is prompted to submit their credit card details and then asked to add information for another credit or debit card.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
Next, the person is asked to confirm their home address, after which they’re taken to the final verification page. After pressing the My Account button, the unfortunate victim is redirected to the actual Chase website.
At this point, the criminals have more than enough information to sell the account details on the Dark Web for use in additional attacks, account takeovers and identity fraud. In fact, each piece of sensitive data captured is sent to the attacker’s email address set up within the phishing kit.
Though major banks and financial companies have safeguards in place to combat phishing exploits, smaller firms may not possess the tools or technologies to do so. To help you better detect and avoid phishing attacks, Cyren offers the following tips:
- Avoid clicking on links or dialing any phone number listed in an email or text message. Instead, contact the company using information on its website or through its official mobile app. Chase customers can also report phishing emails to Chase Bank.
- If you’re unsure about the legitimacy of a particular email or text message, ask someone else to review it. Many organizations also have measures in place whereby you can report a suspicious email. Mobile carriers have steps for submitting suspected phishing messages. You can also submit potential phishing URLs through such sites as the Cyren Website URL Category Checker, VirusTotal and PhishTank.
- Slow down when viewing an email or text message. You can detect and avoid many phishing attacks by reviewing the message for spelling errors and other inconsistencies. Look at the copyright date in the footer, make sure the displayed URL is correct and trust your own instincts.