The NJCCIC’s email security solution identified a credential phishing scheme impersonating Capital One. Although Capital One is referenced in the sender’s display name and username, it is not part of the sender’s domain name, which is a red flag. The messages include a subject line, “Do you recognize this transaction?”, display a fraudulent or unauthorized charge, and contain links that, if clicked, direct targets to a website spoofing the CapitalOne portal to harvest account credentials.
Additionally, it prompts the target to enter their SMS code as part of the SMS phone verification to add a sense of legitimacy. There is also a notation that the code might be slightly delayed due to the target’s mobile network. If entered, the account credentials and SMS code are sent to the threat actors in the background to commit further malicious activity.
Furthermore, the New York State Police recently issued a public warning about increased scams targeting bank account holders. Threat actors convince their targets that they have unauthorized charges or that money was accidentally deposited into their bank account. Financial institutions will never request personal or confidential information, such as account credentials, via notifications or ask to click on a link to verify one’s identity or gain access to the computer.
Recommendations
- Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders.
- Exercise caution with communications from known senders.
- Confirm requests from senders via contact information obtained from verified and official sources.
- Type official website URLs into browsers manually and only submit account credentials on official websites.
- Use strong, unique passwords for all accounts and enable multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes.
- If the account has been compromised, log out of all devices, revoke any access tokens, and reset passwords.
- Report suspicious or fraudulent communications to the financial institution.
- Report phishing emails and other malicious cyber activity to the FTC, FBI's IC3, and the NJCCIC.
