SVB’s collapse is a scammer’s dream: Don’t get caught out

Big news events and major crises usually trigger an avalanche of follow-on phishing attempts. The COVID-19 pandemic and Russia’s invasion of Ukraine are perhaps the most obvious examples, but the most recent one is the collapse of Silicon Valley Bank (SVB). The mid-sized US lender and a key financer of tech start-ups held tens of billions of dollars’ worth of assets when it went bust last week after succumbing to a bank run.

Although the US government stepped in days later to guarantee customers would be able to access their money, the damage was done – and even if you or your business wasn’t affected by the bank’s meltdown, you could still be at risk of cybercrime that exploits such events for nefarious gains.

Ambulance-chasing phishing and business email compromise (BEC) attempts are already hitting inboxes across the globe. Once you’ve weathered the storm, there’s plenty of takeaways that can be used to build a more resilient security awareness program going forward.

The SVB scams so far

There’s nothing new in scammers piggy-backing on news events to improve their success rates. But the SVB case has several ingredients that make it arguably a more attractive lure than the norm. These include:

• The fact that there’s lots of money at stake: SVB had an estimated US$200 billion in assets when it went bust.
• Extreme anxiety from corporate customers worried about how to pay the bills if they can’t access their assets, and of individuals concerned about whether they’d get paid.
• Confusion over exactly how customers can get in touch with the failed lender.
• The fact that the collapse came after the fall of Signature Bank, sparking even more anxiety about the whereabouts of funds and the health of the financial system.
• SVB’s global reach – including a UK arm and various affiliated businesses and offices across Europe. This expands the pool of potential scam victims.
• The BEC angle: as many SVB corporate customers will be informing their partners of bank account changes, it offers the perfect opportunity for fraudsters to step in first with their own details.

When something like this happens, it’s not unusual to see multiple domains registered by firms looking to offer legitimate loans or legal services to the ailing bank’s customers. It can be difficult to discern the authentic from those registered for nefarious ends.

There’s a long list of newly-registered lookalike domains that may try to deceive people in the future.

New domain registrations relating to Silicon Valley Bank are emerging. Some could be #phishing campaigns. Listed below is what we’re seeing now. Keep in mind not all are scammy, and not all scammy domains targeting SVB will have SVB-related terms: https://t.co/mHjfZQIQAf pic.twitter.com/Au7AbA0GhX

— SecuritySnacks (@SecuritySnacks) March 13, 2023

SVB phishing attempts

As always, phishing attempts focus on classic social engineering techniques such as:

• Using a breaking news story to lure the recipient in
• Spoofing SVB or other brands to gain recipient trust
• Creating a sense of urgency to force recipients to act without thinking – not hard given the circumstances surrounding the collapse
• Including malicious links/attachments to harvest information or steal funds

Expect different threat actors to exploit the current situation with SVB. Started to see some infrastructure being setup that could be used for phishing / scams. login-svb[.]com cash4svb[.]com svbclaim[.]com svbdebt[.]com pic.twitter.com/rn9ltBsxDU

— Jaime Blasco (@jaimeblascob) March 12, 2023

Some phishing attempts have focused on stealing the details of SVB customers – possibly to either sell on the dark web or to create a phishing list of targets to hit with future scams. Others have embedded more sophisticated methods of stealing cash from victims.

One effort uses a fake reward program from SVB claiming all holders of stablecoin USDC will get their money back if they click through. However, the QR code the victim is taken to will compromise their cryptocurrency wallet account.

A separate lure with the same QR-related crypto-stealing end goal used an announcement by USDC issuer Circle as its starting point. The firm said USDC would be redeemable 1:1 with the dollar, prompting the creation of new phishing sites with a Circle USDC claims page.

SVB BEC threats

As mentioned, this news event is also slightly unusual in providing the perfect conditions for BEC attacks to flourish. Finance teams are going to be legitimately approached by suppliers that previously banked with SVB and that have now switched financial institutions. As a result, they’ll need to update their account details. Attackers could use this confusion to do the same, impersonating suppliers with modified account payee details.

Some of these attacks may be sent from spoofed domains, but others may be more convincing, with emails that have been sent from legitimate but hijacked supplier email accounts. Organizations without sufficient fraud checks in place could end up mistakenly sending money to scammers.

How to avoid SVB and similar scams

Phishing and BEC are increasingly common. The FBI Internet Crime Report 2022 details over 300,000 phishing victims last year, cementing its status as the most popular cybercrime type of all. And BEC made scammers over US$2.7bn in 2022, making it the second highest-grossing category. Consider the following to stay safe from the scammers:

• Be cautious about unsolicited messages received by email, SMS, social media etc. Try to independently verify them with the sender before deciding whether to reply.
• Don’t download anything from an unsolicited message, click on any links or hand over any sensitive personal information.
• Look for grammatical mistakes, typos etc. that can indicate a spoofed message.
• Hover over the email sender’s display name – does it look authentic?
• Switch on two-factor authentication (2FA) for all online accounts.
• Use strong and unique passwords for all accounts, ideally stored in a password manager.
• Regularly patch or switch on automatic updates for all devices.
• Report anything suspicious to the corporate security team.
• Importantly, ensure you have up-to-date security software on all your devices from a reputable provider.

For BEC specifically:

• Check with a colleague before changing account details/approving payments for new accounts
• Double check any requests for account updates with the requesting organization: don’t reply to their email, verify independently from your records

From a corporate IT security perspective:

• Run continuous, regular phishing training exercises for all staff, including simulations of currently trending attacks
• Consider gamification techniques which may help reinforce good behaviors
• Build BEC into staff security awareness training
• Invest in advanced email security solutions that include anti-spam, anti-phishing and host server protection and protect threats from even reaching their targets
• Update payment processes so that large wire transfers must be signed off by multiple employees

We all need to be on the lookout for unexpected emails or calls – mainly those coming from a bank and requiring urgent action. Never click a link and input your banking login credentials nor give them over the phone at any time. To access your banking information, use your bank’s official website.