Authentic bank notifications can help inform users of bank account activity, including balances and transactions. However, threat actors continue to develop convincing messages purportedly from trustworthy sources that claim to involve bank account activity. These messages may imply that the account security is at risk, and threat actors create urgency and panic to persuade potential victims to take immediate action, such as divulging information or clicking on a link that spoofs a bank’s legitimate website.

In the past month, the NJCCIC’s email security solution identified credential phishing schemes impersonating multiple banks, including Truist Bank, Bank of America, and Citizens Bank. The bank’s name is referenced in the sender’s display name but not in the sender’s domain name. Subject lines typically contain “You Have An Important Notice From (Bank Name).” These emails include links directing potential victims to fraudulent bank portals that steal account credentials, multi-factor authentication (MFA) codes, and payment information.

In these specific phishing schemes, the initial landing page was marksconectscxzx[.]es and then verifyandsecure[.]click, which were flagged as malicious. Threat actors utilize various phishing landing pages and change them frequently to evade detection and continue their malicious activities. The phishing landing pages impersonate the legitimate Plaid website to validate the user’s information.

The NJCCIC also received reports of threat actors impersonating a bank’s CEO or fraud department via urgent text messages or phone calls, claiming that fraudulent activity had been detected on the account. The generic communications come from unknown numbers. The threat actors request verification of account credentials, MFA codes, and transaction approval for ACH wire transfers.

Recommendations

• Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders.
• Exercise caution with communications from known senders.
• Confirm requests from senders via contact information obtained from verified and official sources.
• Type official website URLs into browsers manually and only submit account credentials and sensitive information on official websites.
• Use strong, unique passwords for all accounts and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes.
• If the account has been compromised, log out of all devices, revoke any access tokens, and reset passwords.
• Report suspicious or fraudulent communications to your bank.
• Report phishing emails and other malicious cyber activity to the FTC, FBI’s IC3, and the  NJCCIC.