Authentic notifications from financial institutions via email and text messaging can help inform users of account activity, such as balances and transactions. However, if a user has consented to receive such notifications, it may be challenging to determine if a notification is legitimate, as threat actors continue to develop persuasive messages purportedly from trustworthy sources that claim to involve credit card or bank account activity. Threat actors create a sense of urgency and panic and may imply that the account security is at risk. They encourage their target to take immediate action, such as divulging information or clicking on a link to a website that looks identical to the legitimate login page.

The NJCCIC’s email security solution identified a credential phishing scheme impersonating Capital One. Although Capital One is referenced in the sender’s display name and username, it is not part of the sender’s domain name, which is a red flag. The messages include a subject line, “Do you recognize this transaction?”, display a fraudulent or unauthorized charge, and contain links that, if clicked, direct targets to a website spoofing the CapitalOne portal to harvest account credentials.

Additionally, it prompts the target to enter their SMS code as part of the SMS phone verification to add a sense of legitimacy. There is also a notation that the code might be slightly delayed due to the target’s mobile network. If entered, the account credentials and SMS code are sent to the threat actors in the background to commit further malicious activity.

Furthermore, the New York State Police recently issued a public warning about increased scams targeting bank account holders. Threat actors convince their targets that they have unauthorized charges or that money was accidentally deposited into their bank account. Financial institutions will never request personal or confidential information, such as account credentials, via notifications or ask to click on a link to verify one’s identity or gain access to the computer.

Recommendations

• Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders.
• Exercise caution with communications from known senders.
• Confirm requests from senders via contact information obtained from verified and official sources.
• Type official website URLs into browsers manually and only submit account credentials on official websites.
• Use strong, unique passwords for all accounts and enable multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes.
• If the account has been compromised, log out of all devices, revoke any access tokens, and reset passwords.
• Report suspicious or fraudulent communications to the financial institution.
• Report phishing emails and other malicious cyber activity to the FTC, FBI’s IC3, and the  NJCCIC.