Wells Fargo Phishing Email Uses Fake Calendar Invites to Steal Bank Credentials
Hackers are sending phishing emails to Wells Fargo Bank customers to steal their bank accounts. The emails impersonate Wells Fargo Security Team members in hopes of convincing the target it is a legitimate communication from the bank. They have a malicious attachment cleverly disguised as an MS Office 365 calendar invitation. So far, the scam has reached about 15,000 to 20,000 Wells Fargo customer email accounts, according to a report by cyber security researchers at Abnormal Security.
Messaging contained in the Wells Fargo phishing email informs the user that they supposedly have a “new security key.” They are also informed that they need to take immediate action to protect their Wells Fargo account. In fact, this email does just the opposite. If the customer opens the calendar invitation it can lead them to a pair of pages that eventually steals their bank credentials.
“The email pretends that the user must update their security key as soon as possible, or risk their account being suspended. It urges the user to quickly open the attachment and follow the instructions,” says Abnormal Security.
Wells Fargo Phishing Email
Threatening phishing email recipients is a common tactic for hackers. The particular phishing email contains messaging that tries to scare the user into acting quickly – without thinking about it too long – because their account supposedly will be suspended leaving them without access to their money. The scam emails have an attachment which is a calendar .ics file – not the typical suspicious file attachment – which is used by applications to create calendar events for people. If the user clicks on the invitation it automatically adds a fake event to their Office 365 calendar. The event description has a link to a SharePoint page. This helps it evade detection by antivirus apps.
The SharePoint page, in turn, has a link to a spoof webpage designed to impersonate the legitimate Wells Fargo website. The messaging directs the recipient to again act immediately. If they enter credentials on this page, the bank information is sent to the hackers. Also like many scams, the recipient is blind carbon copied (Bcc’d) rather than being listed in the “to” field. This implies the email is being sent in bulk to thousands of potential victims.
Hackers often use a variety of tactics joined together to help fool antivirus and anti-malware tools. In this case, the calendar invitation doesn’t seem like a malicious file. It simply adds an event to the user’s calendar. However, the text in the event description contains the link to a SharePoint page. By itself, it isn’t exactly harmful, however, the SharePoint page does contain a link to the credential harvesting spoof web page. Although a few extra hops may reduce the number of victims the hackers ensnare, it helps them get their cyber attacks through email filters.
Abnormal Security says that “Access to a user’s sensitive information would allow an attacker to commit identity theft as well as steal any money associated with the account,”
About Wells Fargo & Company
Wells Fargo is a financial services company and the fourth-largest bank in the United States with offices across the country. The bank does business – mortgages, loans, bank accounts – with 33% of all US households.