Silicon Valley Bank customers deluged with scams

A Silicon Valley Bank Branch As Crisis Exposes Lurking Systemic Risk of Tech Money Machine
People enter Silicon Valley Bank's headquarters in Santa Clara, California, US, on Monday, March 13, 2023. The collapse of Silicon Valley Bank has prompted cybercriminals to target customers, bank employees and others with phishing and other impersonation campaigns.

Cybercriminals are capitalizing on the failures of Silicon Valley Bank and Signature Bank. Many have set up fake bank websites and phishing campaigns with a plausible story to exploit the urgency of frantic customers and businesses — particularly those with large, partially uninsured deposits — who were unclear on how to communicate with their bank.

The Internet Storm Center, a group that monitors malicious internet activity, issued a warning on Monday that domain registrations containing "SVB" were up significantly. Over 70 new domain registrations matching that description popped up over the weekend, compared to fewer than 30 over the previous two weeks. These newly registered domains included login-svb.com, svbbailout.com and svbcollapse.com.

Not all of those newly created websites are outright scams, the center said, but for every one that isn't, there is likely another scam site that does not contain "SVB" but impersonates Signature Bank or another entity that has been in headlines this week. Fake mobile apps are yet another threat.

For cybersecurity experts, this flood of potential scams is hardly a surprise. Any big news creates an opportunity for fraudsters to spin a new narrative in a phishing campaign, and fraudsters have a playbook they can follow to take advantage.

"There is a blueprint when something like this happens, and it often kicks off with registration of new domains," said Ashley Allocca, senior intelligence analyst for threat intelligence company Flashpoint.

What made this episode different is the amount of money at stake. At Silicon Valley Bank, deposits that were under the insurance limit of $250,000 accounted for just 2.7% of the company's total deposits, according to a research note from RBC Capital Markets analyst Gerard Cassidy.

Not only is there a lot of money to make off scams centered on these bank failures, but it doesn't take a lot of technical acumen to launch such a campaign, according to Allocca. This means a flood of scams is likely to hit these customers, and that flood is likely to last as long as the headlines on bank failures and rescues last.

The tail on these attacks is likely to be long, but the greatest threats are in the short-term, according to Ilia Kolochenko, CEO of application security company ImmuniWeb.

"We'll certainly see some echo during the next 12 to 36 months, but probably the most dangerous activities will happen during the next two, three weeks," Kolochenko said.

Although customers are the largest group who should be concerned about phishing campaigns launched in the wake of these bank failures, people with privileged access to account and customer information — bank employees, vendors, regulators, and others — also need to keep their guards up for potential business email compromises and related attacks.

One way institutional actors can mitigate their risk is by reducing the urgency employees face, according to Chris Pierson, CEO of cybersecurity company BlackCloak. Urgency is a key factor in any successful impersonation campaign, so giving potential victims a way to escape that urgency could help them see clearly and better spot fraudulent messages.

Pierson invoked the example of the Andon cable, a pull-cord or button workers can use when they see a problem that automatically halts production so that a solution can be found. Toyota uses these cables in factories to allow employees to alert managers of a potential problem on the assembly line. Companies should use this example, Pierson said, to "empower" employees to flag potential problems to their superiors without fear of retaliation.

With such protections, Pierson said, employees are better prepared to detect and report that something is wrong if, say, a fraudster impersonating a superior tries to pressure the employee to do something uncharacteristic like disclose sensitive information in an email.

Regardless of the specific events, though, threat actors will always look to update their phishing campaigns to keep up with the latest news and keep their campaigns relevant and believable, according to Flashpoint's Allocca.

"These actors are always going to try to reinvigorate their campaigns with whatever is coming next," Allocca said. "A lot of that infrastructure for that attack is already there. It'll be interesting to see how long it goes and the different variances in these types of campaigns."

For reprint and licensing requests for this article, click here.
Banking Crisis 2023 Cyber security Phishing
MORE FROM AMERICAN BANKER