Phishing for Financial Fears
Posted by: Tristan Morris
Over the last 4 days (as of the writing of this blog) the federal government has seized the assets of two major financial institutions in an effort to prevent another once-in-a-lifetime financial crisis. By the time this blog has been published, the news cycle will have drastically outpaced any summary or explanation that could be given here, and with the ever-churning news cycle comes misinformation, misunderstanding, and fear. As the government tries to shore up the public’s trust in their banking institutions and stop the greater population from panicking, there are simultaneously thousands of voices more than willing to capitalize on people’s anxieties and fears for profit.
Bad actors have always used any major world event or crisis as a way to prey on the less informed. While many in this age would pride themselves on their ability to spot a scam like a fake charity or a Nigerian prince, fear–especially fears tied to monetary impact in an already stressful economic environment–has a way of blinding the mind to potential red flags. In the wake of the 2008 housing crisis, scams and frauds revolving around fake foreclosures, threatened evictions, and promises of protection skyrocketed.
And on the opposite side of that same coin, greed can play just as important a role in extracting money from those looking to secure their future. Looking again to the mortgage collapse of 2008, there was no shortage of traveling snake-oil salesmen promising untold riches to anyone who would take their $1,500 weekend course. Get-rich-quick schemes based on house flipping, buying foreclosed homes, and promises of limitless passive income abounded, and there was no shortage of people willing to pay for what looked like the opportunity of a lifetime.
As we look at the circumstances surrounding the government’s takeover of Silicon Valley Bank (SVB) and Signature Bank, it’s clear that we’re primed for a similar surge in attempts to defraud the average citizen. We have to remember that end-users are only human, and are prone to the exact same fears and flaws as regular people were in 2008. Only this time, the scams and frauds can be instigated much more swiftly and easily through email, social media, and disinformation sites built to look genuine.
And all of this can be used as a readily-available means of gaining a foothold in your corporate network.
Dale Madden, Attack Simulation Operations Manager at GuidePoint Security, points out that your relationship with SVB doesn’t matter to attackers. “Banking information is one of the most sought-after prizes by attackers, and they will utilize these situations to extract your information whether you were a client of SVB or not.”
“When crafting simulations for clients, we would look to utilize as many methods as possible to make sure users are prepared for all types of attacks. From easy-to-identify attacks where it’s obvious the writer is not an English-speaker, to sophisticated strategies where SVB or other bank logos are copied and cyrillic characters are used to make sending domains and malicious links look legitimate, nothing would be off-the-table for most offensive security experts, because those methods are certainly on-the-table for malicious actors.”
Dale continues, “With the news cycles, along with social media usage, it won’t take long for attackers to figure out who is, was, or wasn’t using SVB. A simple scrape of Linkedin or Twitter by an attacker will find those most concerned, with some companies and individuals even talking about their status in regard to SVB usage or employment. All of this is fair game for attackers and offensive security experts alike.”
Steve Rosenkranz, Director of Corporate Information Security at GuidePoint Security, built on Dale’s comments to remind organizations of the importance of keeping their users informed and encouraging extra precautions during events like this.
“Malcontents use crisis as opportunity, and–given the vagaries of the situation as they pertain to the broader financial industry–customers should exercise caution when receiving unsolicited electronic correspondence requesting they take urgent action relative to their bank accounts. In these cases, it is advisable to contact their financial institution using an out-of-band method (e.g., phone call) using previously verified and trusted information to verify the legitimacy of the message and any requests.”
“It would also be wise to make sure that whichever system they are using is up-to-date in regard to vendor-published security updates, and to make sure whatever antivirus they are using is current as well.”
The next few weeks are sure to be filled with rampant speculation, rapid change, and constant change. In times like this, maintaining a level head is paramount. Stepping back to assess the situation and building an achievable plan to tackle potential obstacles and get ahead of issues is key.
Tristan Morris
Cybersecurity Solutions Marketer,
GuidePoint Security
Tristan Morris started his cybersecurity career in 2010 as a cryptologic linguist in the US Marine Corps, where he learned the fundamentals of security and threat hunting. At the end of his enlistment in 2015 he began using his skills, knowledge, and perspective to build training and education labs and CTF events by re-creating advanced attack lifecycles to construct realistic datasets for lab attendees to hone their skills. He has spoken at large security conferences and events from Black Hat to Singapore International Cyber Week.