{"id":24419,"date":"2022-05-13T09:07:08","date_gmt":"2022-05-13T13:07:08","guid":{"rendered":"https:\/\/www.kaspersky.co.uk\/blog\/wells-fargo-phishing-identity-theft\/24419\/"},"modified":"2022-05-13T16:49:14","modified_gmt":"2022-05-13T15:49:14","slug":"wells-fargo-phishing-identity-theft","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/wells-fargo-phishing-identity-theft\/24419\/","title":{"rendered":"Bank phishing and identity theft"},"content":{"rendered":"

Scammers often pose as well-known companies: video streaming services<\/a>, job hunting websites, internet stores<\/a> and so on. This time, phishers are targeting customers of Wells Fargo, one of the four largest US banks, providing services in more than 40 countries. Counting on the bank\u2019s trustworthiness, the cybercriminals don\u2019t limit themselves to stealing bank card details, but go after e-mail accounts and selfies of users holding their ID documents, too.<\/p>\n

Phishing attack on Wells Fargo customers<\/h2>\n

As ever, an attack starts with a phishing e-mail designed to alarm the recipient. It informs the user that their Wells Fargo bank account has been blocked, allegedly due to an unverified e-mail address or a mistake in their home address. To regain access, the message asks the recipient to follow the link and verify their identity within 24 hours of receiving the notification. Otherwise, it will no longer be possible to transfer or withdraw money, the letter warns.<\/p>\n

The e-mail looks quite convincing: a neat logo element, business-style text, and almost no errors. Even the sender\u2019s name and address are very similar to those of the bank\u2019s customer service. However, the address does have a very unusual domain in the non-existent zone wellsfargo-com (instead of the usual .com). But it takes a sharp eye to spot it.<\/p>\n

\"Phishing<\/a>

Phishing e-mail seemingly from Wells Fargo<\/p><\/div>\n

The link in the e-mail points to a third-party site, and from there, via a redirect, to a fake Wells Fargo account login page. Here the phishers made less of an effort: the design does not match that of the official page, and the URL has nothing to do with the bank at all, but for some reason references either the Bruce Springsteen song The Ties That Bind<\/a> or the TV series of the same name<\/a>!<\/p>\n

On the very first page, the victim is prompted to enter their Wells Fargo account username and password. But that\u2019s only the beginning \u2014 two more \u201cverification\u201d stages lie ahead.<\/p>\n

\"Phishing<\/a>

Phishing site imitating Wells Fargo<\/p><\/div>\n

Having signed in, the victim lands on the next page \u2014 where there are a lot more fields to fill out. Here the scammers brazenly ask for an e-mail address with password (!), a phone number with postal address, the user\u2019s date of birth and social security number (SSN); and, of course, payment details: aside from a bank card number and expiration date, they also ask to fill in the CVV code on the back, plus PIN.<\/p>\n

\"Form<\/a>

Form for entering personal data on the phishing site<\/p><\/div>\n

Next comes the most interesting bit: the user is prompted to upload a selfie in which they\u2019re holding up an ID document. This page displays no fewer than three Wells Fargo logos, probably to add credibility. However, some typos somewhat spoil the impression.<\/p>\n

[wells-fargo-phishing-screen-4.png]
\n[Alt\/title\/caption: <\/p>

\"The<\/a>

The victim is asked to upload a photo with an ID document<\/p><\/div>\n

Having extracted all vital data from the victim, the scammers report that the account has been successfully restored and redirect said victim to the real Wells Fargo website. This maneuver is designed to make them believe they have been on the legitimate resource all the time.<\/p>\n

\"Account<\/a>

Account \u201crecovery\u201d and redirection to the official Wells Fargo site<\/p><\/div>\n

What the stolen data can be used for<\/h2>\n

Typically, this kind of phishing is used to build up a massive database for subsequent sale on the dark web<\/a>. The merchandise is valuable: armed with such a treasure trove of personal data, criminals can siphon off money from the victim\u2019s card. But it doesn\u2019t stop there: with a dataset like this they can also enrich themselves in other ways at the victim\u2019s expense \u2014 for example, by opening a bank or crypto exchange account to launder stolen funds, obtain a credit card, and so on. With an ID-card selfie and SSN<\/a>, attackers have every chance of passing the KYC (Know Your Customer) security check required for such transactions.<\/p>\n

As such, after entering the data, probably nothing will happen at first; only later will trouble arise. This may pose an additional danger: by the time the cybercriminals start using the stolen data, the user may no longer remember having entered their personal data somewhere, making it much harder for them to give bank representatives or police officers a proper explanation.<\/p>\n

How to avoid falling victim to bank phishing<\/h2>\n

Here are some tips on how to avoid becoming a victim of phishing schemes that involve bank accounts.<\/p>\n