Understanding Bank Phishing on Social Media

Protecting Your Financial Information in the Digital Age

The most recent phishing report from the APWG (Anti-Phishing Working Group) revealed that in Q3 2022, financial institutions were the most targeted sector for phishing attacks, accounting for 23.2 percent of all such attempts [1].

 

What is bank phishing?

Phishing, in general, is the act of using misleading emails or social media Direct Messages (DMs) and posts to deceive users into revealing personal, financial, or security information. Bank phishing, specifically, involves scammers creating fake profiles of banks and their employees to communicate with customers and steal their money, bank account credentials, and personal information. They exploit unsuspecting victims by convincing them that they are interacting with a trusted, genuine source, often by using fake email addresses, names, and logos. Scammers may conduct these attacks directly through email or DMs, or they may redirect victims to fraudulent websites that are designed to look identical to legitimate ones. Cybercriminals take advantage of people’s busy schedules and lack of attention to details because, at first glance, these counterfeit emails, posts, and DMs may appear to be authentic, that is coming from the bank that has been targeted.

Below are examples of phishing for top financial institutions.

Chase

 

Figure 2 is one example of a fraudulent email that is designed to look like a legitimate message from Chase bank. It redirects the user to a phishing website after clicking on Yes or No links.

Figure 3: A fake Instagram page of Chase bank. The search box result shows more fake profiles.

Figure 4: Another fake Instagram page of Chase bank that claims to be the official page. The phone number is a fake customer service number, with the scammer on the other end

The two screenshots (Figures 3 and 4) exhibit fake Instagram pages designed to mimic the official page of Chase Bank. The profile pictures and handles of the pages look very similar to the real Chase logo and handle name on Instagram. The posts on the fake pages have been copied from the real page and, therefore, can deceive consumers into believing that they are engaging with the actual bank.

Bank of America

Figure 5: Fake Bank of America phone message. The link leads to a phishing webpage. (source)

Figure 5 illustrates a fake phone message sent to a client of Bank of America, claiming that their Bank of America debit card has been restricted and they should click on a link to resolve the issue. The link is malicious and designed to steal the client’s personal information. Messages like these create a sense of urgency, especially if the client made some unexpected withdrawal or is in need of making a large withdrawal soon. It is often a customer’s personal situation at the time of receiving such scam messages that determine whether the customer falls for the scam or not. Scammers are usually not aware of such situations at an individual level. Therefore, they cast a wide net and hope for a small fraction, e.g., 1%, of people receiving these messages to fall for it. Social media makes it inexpensive and effective to cast such wide nets.

Figure 6: Fake Instagram page of Bank of America

Similarly, Figure 6 depicts a fake Bank of America Instagram page. The profile picture (Bank’s logo) and description are almost identical to those on the official Instagram page of the bank. The posts are, again, copied from the official page of Bank of America and hence look legitimate and high quality.

Figure 7: Fake Instagram page of Bank of America’s customer support

Here is another screenshot (Figure 7) of a fake Bank of America customer support page that has already amassed 320 followers., some of whom could be real, unsuspecting customers of the bank. The page’s content is intentionally designed to deceive customers into thinking that they are interacting with the genuine Bank of America support team.

Wells Fargo

Figure 8: Fake Twitter page of Wells Fargo

Figure 8 shows a fake Twitter page of Wells Fargo bank with a profile image and description that looks identical to the real Wells Fargo page on Twitter. The scammer deceives the followers of the account, as well as other users that the scammer DMs, into thinking they are interacting with the official company. Unfortunately, many people fall for this type of scam and incur financial losses.

Citi Bank

Figure 9: Fake Instagram page of Citi Bank

This fake Facebook page of Citibank (Figure 9) has accumulated 14.3k followers, a staggering number of potential victims for this scammy page. With over 300 posts, the scammers may have succeeded in convincing users that the page is legitimate, even though the scammers are only imitating the official Citibank page.

PayPal

Figure 10: Fake Instagram page of PayPal

Figure 10 shows one of many fake pages on Instagram attempting to imitate the PayPal company. With identical posts and descriptions, they have garnered over 11.8k followers, and constant engagement makes it easy for these scammers to prey on unsuspecting followers.

Red Flags to Watch Out For

There are several red flags to look out for when it comes to bank phishing pages or DMs on social media. Here are some signs to watch out for [2]:

1. Pressure to act immediately: Phishing scams are designed to play with your emotions, to make you act quickly by claiming that your account is at risk or there is a problem that needs your attention. Or if you contact them within a day, you will get extra benefits that won’t be available later.
2. Misspelled URLs: Phishing links are often misspelled. They contain variations of the bank’s name and don’t match the bank’s official website.
3. Requests for personal information: Phishing scams often ask for personal information such as your bank account number, social security number, or other sensitive data.
4. Exaggerated offers: Scammers will send you exceptional offers to grab your attention.
5. Unusual payment methods: Phishing scams may also ask for payment upfront to resolve an issue with your account like a fraud using cryptocurrency or gift cards.

Tips to Avoid Bank Phishing

Bank phishing scams on social media can be difficult to detect, but there are some steps you can take to reduce your risk of falling victim to these scams [3]:

1. Avoid clicking on links that seem suspicious, sent by unverified accounts on social media. If the actual link is hidden behind some hyperlinked text, you can hover your cursor on the text and see the link at the bottom of your browser.
2. Avoid sharing your personal and sensitive information, such as your bank account number, personal information, and password with anyone on social media.
3. Consider enabling two-factor authentication for your bank account to add an extra layer of security. If you use some password manager to store your bank login passwords (not a good idea in general) and it has been a target of a data breach, make sure to change your master password and the bank passwords.
4. Make sure that your computer, smartphone, and other devices are updated with the latest security patches and software to reduce the risk of being hacked.
5. If you receive an unsolicited message claiming to be from your bank, do not respond to it immediately. Instead, contact your bank directly to verify the message’s authenticity.

What to Do If You Suspect Fraud

If you suspect that you have fallen victim to a bank phishing scam, the following steps can help you mitigate the damage:

1. Contact your bank immediately and change your login credentials.
2. Report the scam to the US Federal Trade Commission (FTC).
3. Report the scam to the social media platform in question.

Protect your business with Eydle’s platform

Financial technology firms, such as neobanks, increasingly rely on social media — Instagram, Twitter, Facebook, YouTube, TikTok, and LinkedIn — to communicate with their current and future customers as well as employees. It is essential for firms to constantly monitor phishing attacks and take them down. The monitoring part can be challenging because the scams evolve with time as the firm releases new products. Also, modern-day scams are sophisticated, visually rich, and span across multiple social media platforms. It is more critical than ever to take proactive measures to maximize the detection of phishing pages and minimize the time to detect a phishing page.

Eydle’s platform, built on AI-based phishing detection research, helps businesses tackle this problem by detecting sophisticated phishing attacks on social media that escape detection under traditional detection algorithms.

Contact us at [email protected] or visit www.eydle.com to learn more.

Resources

[1] https://docs.apwg.org/reports/apwg_trends_report_q3_2022.pdf

[2] https://www.bankofamerica.com/security-center/avoid-bank-scams/

[3] https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams

Understanding Bank Phishing on Social Media was originally published in Eydle on Medium, where people are continuing the conversation by highlighting and responding to this story.