Phishing for Selfies? New Scam Targets Chase Bank Customers

Yes, we live in the age of the selfie. Admit it, you’ve taken them yourself. But, did you ever think selfies could be part of a phishing scam?

The attackers have really outdone themselves this time, according to newly published research.

According to BleepingComputer, a new phishing scam targeting Chase Bank customers is not only asking for victims’ personal information, but also requests an uploaded selfie of them holding their ID or driver’s license.

This campaign, discovered by MalwareHunter Team, starts with the scam’s landing page that looks like a legitimate Chase Bank login form.

Once users attempt to login, there is an error message that says that their information is wrong, and their identity needs to be verified. The phishing site then loads an attractive and well-designed form that attempts to gather additional information with the purpose of stealing users’ identities.

This site prompts victims to confirm their ID by uploading a selfie showing both sides of their ID card.

Give Attackers an Inch, They Will Take a Mile

Once phishers have hooked a victim it just makes sense that they take that often-fleeting opportunity to take everything of value that they can.

On one hand, getting people to take selfies holding their ID cards seems almost comical, and raises the question: who would do that? On the other hand, given the selfie culture and the logic and challenge of verifying identities online and the speed at which people can respond, even before thinking, I bet a lot of people would fall for even this.

BleedingComputer noted this type of ask—for a selfie—isn’t yet a typical one for phishing sites. But it is typical for instances where users are asked to register for gambling, cryptocurrency or other financial sites.

There’s no doubt this kind of attack could be used to target individuals within organizations to steal credentials or other sensitive information. The key for organizations is to have a comprehensive program of technology controls and cybersecurity awareness training to make falling for this type of attack exceedingly rare.

You can learn more about how to plan for cyberattacks here.