Cybercriminal tactics are becoming increasingly sophisticated, even fooling bank employees. Helping employees identify and avoid phishing attacks should be a priority for any business.
A recent CNBC article reported that a fake Chase fraud department 800-number was convincing enough to trick small business owner Cody Mullenaux into authorizing a $120,000 withdrawal from his Chase checking account to “secure” his account.
While Cody spoke with this fake fraud department rep, a second scammer was impersonating Mullenaux on another phone call with Chase to authorize the wire transfers. All the answers to the security questions Mullenaux was asked were then being fed to the second scammer. This allowed the fraudsters to provide the correct answers and convince the Chase employee they were speaking to the account holder.
Unfortunately, the hoax worked. The Chase employee was convinced that it was Mullenaux who called to authorize the three wire transfers and authorized more than $120,000 to be withdrawn from Mullenaux’s account. None of it has been recouped.
In a statement to CNBC, a Chase spokesman said, “Banks will never ask consumers or businesses to send money to themselves or anyone else to prevent fraud, but scammers will. To confirm you are really speaking to Chase, call the number on the back of your card or visit a branch.”
The scammers in Mullenaux’s case successfully exploited two loopholes in current consumer protection legislation that resulted in Chase not being required to replace Mullenaux’s stolen funds. Legally, banks do not have to reimburse stolen funds when a customer is tricked into sending money to a cybercriminal.
With ready-made phishing kit sales on the rise, consumers need to be more cautious than ever of cyberscams. IronNet uncovered a “phishing-as-a-service” platform in 2022 that sells ready-made phishing kits to cybercriminals that are specifically made to target U.S.-based companies, including financial institutions. Cost for the customizable kits start as little as $50 per month and include code, graphics and configuration files to resemble bank login pages.
Joey Fitzpatrick, a threat analysis manager at IronNet, expects this trend to continue to gain traction as the kits not only lower the bar for low- to medium-tier cybercriminals to create phishing campaigns. It also enables higher-tier criminals to focus on a single area and develop more sophisticated tactics and malware.
“We’ve seen a 10% increase in deployment of phishing kits in January 2023 alone,” Fitzpatrick said. In 2022, the company saw a 45% increase in phishing alerts and detections.
Here are a few tips for helping employees identify and avoid phishing attacks:
- An unexpected phone call from the bank warrants caution, especially if the person starts asking for information. Hang up and call the bank back.
- Turn on multi-factor authentication. Implementing MFA makes it more difficult for a threat actor to gain access to information systems—such as remote access technology, email, and billing systems—even if passwords are compromised through phishing attacks or other means, according to the Cybersecurity & Infrastructure Security Agency (CISA.)
- Think before you click (if you receive a link in a text or email that looks suspicious, you’re probably validated in being cautious.)
- Use strong passwords and don’t recycle the same password across all your apps and websites. You can use a password manager to store all of your passwords.
The value of an individual’s private data continues to grow as criminals become more sophisticated in harvesting personally identifiable information. At Enfortra, we strive to be the world’s leading provider of white label Identity Protection Solutions. Our platform provides a complete suite of pre-built white label solutions including Identity Protection, Credit Monitoring & Reports, Restoration & Recovery Services, all delivered through a best-in-class, easy to configure offering and a best-in-class mobile app.