Highlighting the importance of extra care no matter the device.


Yes, we live in the age of the selfie. Admit it, you’ve taken them yourself. But, did you ever think selfies could be part of a phishing scam?

The attackers have really outdone themselves this time, according to newly published research.

According to BleepingComputer, a new phishing scam targeting Chase Bank customers is not only asking for victims’ personal information, but also requests an uploaded selfie of them holding their ID or driver’s license.

This campaign, discovered by MalwareHunter Team, starts with the scam’s landing page that looks like a legitimate Chase Bank login form.

Once users attempt to login, there is an error message that says that their information is wrong, and their identity needs to be verified. The phishing site then loads an attractive and well-designed form that attempts to gather additional information with the purpose of stealing users’ identities.

This site prompts victims to confirm their ID by uploading a selfie showing both sides of their ID card.

Give Attackers an Inch, They Will Take a Mile

Once phishers have hooked a victim it just makes sense that they take that often-fleeting opportunity to take everything of value that they can.

On one hand, getting people to take selfies holding their ID cards seems almost comical, and raises the question: who would do that? On the other hand, given the selfie culture and the logic and challenge of verifying identities online and the speed at which people can respond, even before thinking, I bet a lot of people would fall for even this.

BleedingComputer noted this type of ask—for a selfie—isn’t yet a typical one for phishing sites. But it is typical for instances where users are asked to register for gambling, cryptocurrency or other financial sites.

There’s no doubt this kind of attack could be used to target individuals within organizations to steal credentials or other sensitive information. The key for organizations is to have a comprehensive program of technology controls and cybersecurity awareness training to make falling for this type of attack exceedingly rare.

You can learn more about how to plan for cyberattacks here.

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

You may also like:

Risks and Consequences of Legacy Web Security Solutions

Counting the cost of on-premises web sec…

Counting the cost of on-premises web security systems. Shop… Read More >

Dan Sloshberg

by Dan Sloshberg

Sr. Product Marketing Director

Posted Apr 22, 2019

New Cyber Espionage Campaign Features Never-Before-Seen Malware Tools

The key to defending against new attack …

The key to defending against new attack types is a multi-lay… Read More >

Matthew Gardiner

by Matthew Gardiner

Principal Security Strategist

Posted Apr 16, 2019

Phisher Pleads Guilty in Scam Targeting High-Profile Celebrities, Athl…

A reminder: phishing and brand-spoofing …

A reminder: phishing and brand-spoofing works best against t… Read More >

Matthew Gardiner

by Matthew Gardiner

Principal Security Strategist

Posted Apr 01, 2019