The SVB collapse is a scammer’s dream: Don’t get caught

Major news events and major crises usually trigger an avalanche of follow-up phishing attempts. The COVID-19 pandemic and Russia’s invasion of Ukraine are perhaps the most obvious examples, but the most recent is the collapse of Silicon Valley Bank (SVB). The mid-sized US lender and major financier of technology startups had assets worth tens of billions of dollars when it went bankrupt last week after succumbing to a bank run.

although the US government stepped in days later to guarantee customers will be able to access their money, the damage has been done – and even if you or your business isn’t affected by the bank crash, you can still are at risk of cybercrime who exploit these events for malicious gain.

Ambulance chase phishing attempts and business email compromise (BEC) are already hitting inboxes around the world. Once you’ve weathered the storm, there are many conclusions that can be used to build more resilient security awareness programs in the future.

SVB scam so far

There’s nothing new in scammers piggybacking on news events to increase their success rate. But the SVB case has a few materials that make it a more compelling allure than usual. This includes:

• The fact that there was a lot of money at stake: SVB had around US$200 billion in assets at the time of bankruptcy.
• Anxiety is extreme from corporate customers worried about how to pay bills if they can’t access their assets, and individuals worried about whether they will get paid.
• Confusion about how exactly customers can contact failed lenders.
• The fact that the collapse occurs after the fall Signature Banksfueling more anxiety about the existence of funds and the health of the financial system.
• SVB’s global reach – including the UK branch and affiliated businesses and offices across Europe. This widens the pool of potential dupes.
• The BEC angle: since many of SVB’s corporate customers will notify their partners of bank account changes, this offers the perfect opportunity for fraudsters to jump in first with their own details.

When something like this happens, it’s not unusual to see lots of domains registered by companies looking to offer legitimate loans or legal services to ailing bank customers. It is difficult to distinguish the real ones from those registered for malicious purposes.

There is a long list of recently registered lookalike domains that may try to scam people in the future.

New domain registrations related to Silicon Valley Bank are popping up. Some maybe #deception campaign. Below is what we see now. Keep in mind that not all scammys, and not all scammy domains targeting SVB will have SVB-related terms: https://t.co/mHjfZQIQAf pic.twitter.com/Au7AbA0GhX

— SecuritySnacks (@SecuritySnacks) March 13, 2023

SVB phishing attempt

As usual, phishing attempts focus on classic social engineering techniques such as:

• Using the latest news to entice recipients
• Counterfeiting SVB or other brands to gain the recipient’s trust
• Creates a sense of urgency to compel recipients to act without thinking – not difficult given the circumstances surrounding the collapse
• Include malicious links/attachments to retrieve information or steal funds

Expect different threat actors to exploit the current situation with SVB. Starting to see some infrastructure being set up which can be used for phishing/scams. login-svb(.)com cash4svb(.)com svbclaim(.)com svbdebt(.)com pic.twitter.com/rn9ltBsxDU

— Jaime Blasco (@jaimeblascob) March 12, 2023

Some phishing attempts have focused on stealing SVB customer details – perhaps to sell on the dark web or create phishing target lists to be hit with future scams. Others have implanted more sophisticated methods to steal money from victims.

One attempt using SVB’s bogus bounty program that claims all USDC stablecoin holders will get their money back if they click. However, the QR code the victim retrieves will compromise their cryptocurrency wallet account.

Separate lures with the end goal of stealing the same QR-related crypto using an announcement by USDC publisher Circle as a starting point. The company says USDC will be exchangeable 1:1 to dollars, prompting the creation of a new phishing site with a Circle USDC claim page.

Threat SVB BEC

As mentioned, this news event is also a bit unusual in providing the perfect conditions for a BEC attack to develop. The finance team will be approached legally by suppliers who previously banked with SVB and have now switched financial institutions. As a result, they have to update their account details. An attacker could use this obfuscation to do the same, impersonating a supplier with modified account payee details.

Some of these attacks may be sent from spoofed domains, but others may be more convincing, with emails sent from legitimate but hijacked supplier email accounts. Organizations without adequate fraud checks can end up mistakenly sending money to scammers.

How to avoid SVB and similar scams

Phishing and BEC are becoming more and more common. That FBI Internet Crime Report 2022 details more than 300,000 phishing victims last year, cementing its status as the most popular type of cybercrime. And the BEC made scammers more than US$2.7 billion in 2022, making it the second-highest-grossing category. Consider the following to stay safe from scammers:

• Be wary of unsolicited messages received via email, SMS, social media, etc. Try to independently verify with the sender before deciding whether to reply.
• Do not download anything from unsolicited messages, click on any links, or provide any sensitive personal information.
• Look for grammatical errors, typos, etc. which could indicate a fake message.
• Hover over the display name of the email sender – does it look real?
• Enable two-factor authentication (2FA) for all online accounts.
• Use strong, unique passwords for all accounts, ideally stored in a password manager.
• Regularly patch or enable automatic updates for all devices.
• Report anything suspicious to the company’s security team.
• Importantly, make sure you have the latest security software on all your devices from a reputable provider.

Special for BEC:

• Check with colleagues before changing account details/approving payments for new accounts
• Double-check any account renewal requests with the requesting organization: don’t reply to their emails, verify independently from your records

From an enterprise IT security perspective:

• Run regular ongoing phishing drills for all staff, including trending attack simulations
• Consider gamification techniques that can help reinforce good behavior
• Build BEC into staff security awareness training
• Invest in an advanced email security solution that includes anti-spam, anti-phishing and host server protection and protects threats from even reaching their target
• Update the payment process so that large wire transfers must be signed off by multiple employees

We should all be on the lookout for unexpected emails or calls – especially those that come from banks and require immediate action. Never click on a link and enter your banking login credentials or give them over the phone at any time. To access your banking information, use your bank’s official website.