Threat Alert: Online Banking Advanced Social Engineering Attack

Watch out for this latest online banking attack!

The FBI has recently been made aware of a widespread attack on online banking accounts. This attack is a combination of:

  • Social engineering
  • Open-source intelligence (OSINT)
  • Dark web content purchase

While the main method of attack isn’t new, the resources used contains a new trick. This is an advanced social engineering attack, targeting customers that are connected to their financial institution via social media. Attackers leverage social media and open-source intelligence (OSINT) to gather reconnaissance information on a customer, then contact the customer while posing as the financial institution.

The attacker’s objective is to convince the customer that their online banking account has been compromised and the customer needs to change their online banking password to a “temporary” password. Once successful, this attack will give the attacker full access to the customer’s online banking account, which has and will lead to a significant loss of customer funds.

The attacker starts by:

  1. Using recon from a financial institution’s Facebook page. Individuals who “like” the financial institution’s posts appear to be the attackers’ primary targets, giving the attacker a probable customer target list.
  2. The attacker then performs OSINT on these customers, gathering details about the potential customer and creating their own social profile. OSINT allows anyone to be profiled for their public information that is often found on the Internet, such as their street address, phone number(s), email addresses, other social media accounts, date of birth, etc.
  3. The attacker utilizes the dark web and internet search resources for potentially compromised personally identifiable information (PII) for the customer, including Social Security Number (SSN) and any other account numbers from previous compromises.

Once the attacker has enough information on the potential customer:

  1. The attacker may make some innocuous calls to the financial institution to verify that the person is indeed a customer at the financial institution.
  2. The attacker pulls up the financial institution’s online banking webpage and calls the customer.
  3. The attacker spoofs the financial institution’s phone number to appear official (this means your caller ID shows the bank number as the source).
  4. The attacker convinces the customer that their online banking account has been compromised, asking the customer to then browse to the financial institution’s online banking portal.
  5. The attacker may use the customer’s previously obtained information to convince them that they are official.
  6. The customer is directed to the financial institution’s website and asked by the attacker to reset their password to something simple, like “password1234”. The customer might tell them that they do not want their password set to that. The attacker states they understand that, and this password reset is only temporary. Victims stated that the social engineers are very convincing.
  7. Once the password is reset, the attacker has access to the customer’s account and can drain customer funds in various ways.

So how do you protect against an attack like this?

The biggest thing to remember is that we will NEVER ask for passwords to your accounts, nor would we tell you to change it to something specific that we need to know. If you receive a call from someone claiming to work at the bank and they ask for your password, hang up the phone and call one of our main numbers and let us know.

Don’t trust Caller ID.  Phone numbers can be faked just like email addresses.

Make sure you have your correct email address listed in your Online Banking, then sign up for alerts by going to Options, then Alerts. We recommend at the least setting up email alerts for Email Address Changes and Password Changes. You’ll find these under the Events tab.

But also take advantage of our mobile text alert platform so you can be alerted to account balances and transactions based on dollar amounts. This will allow you to keep a closer eye out for fraudulent transactions.

Stay safe out there!

Benjamin D. Miller, CBSM, CBSTP, CBEH

Stillman Bank Vice President & Information Technology Officer

Resources:

SBS CyberSecurity – August 2022