When Silicon Valley Bank collapsed last week, tech executives panicked. Without access to funds deposited with SVB, many were unsure they’d be able to pay bills or make payroll. Fear set in — and scammers pounced.
In the days since the bank’s meltdown, digital con artists have bombarded SVB customers with attempts to steal business information, credentials and financial data necessary to carry out wire fraud. One of their biggest targets: Cloudflare CEO Matthew Prince.
Just four days after the March 10 collapse, an unidentified author hit send on an email to Prince crafted to look like a know-your-customer verification form from SVB. This is the kind of routine work that banks do to verify their customers are who they say they are — and something a bank might reasonably be expected to do after going into federal receivership.
As more information about SVB’s customers appears online, scammers are getting increasingly creative and brazen. Many are attempting to impersonate customers of SVB and telling the clients of those customers that in the aftermath of SVB’s collapse their banking information has changed. By giving clients banking information that the attacker controls, scammers are attempting to intercept routine payments between a client and an SVB customer.
The email sent to Prince was designed to look like a DocuSign template, bearing the SVB logo and an alternate signing method along with a security code, the email bore what would seem to be all the signs of a legitimate communication from a bank to its customer — the CEO of a deep-pocketed, publicly traded security firm, in this case. “It is always astonishing to me how quickly scammers and hackers take advantage of the news of the moment,” Prince told CyberScoop in an interview.
The spearphishing email never reached his inbox thanks to the company’s security tools, but members of its security team described the incident in a blog post this week, reporting how scammers are trying to capitalize on SVB’s demise. In the aftermath of the bank’s collapse, Cloudflare, which had a small SVB account but no major exposure to the bank, has observed look-alike domains being set up that mimic SVB and the Federal Deposit Insurance Corporation, which has stepped in to guarantee the bank’s deposits, as part of schemes to steal banking information and redirect transactions.
Other security firms have seen a similarly quick uptick in phishing attempts capitalizing on the SVB collapse. As early as March 10, the day of the SVB collapse, the threat intelligence firm Egress saw infrastructure being set up to support SVB-themed phishing campaigns. Among the domains impersonating SVB observed by the company are addresses like svb-payment[.]com and svbhelp[.]com.
Amid the collapse of an institution such as SVB, its customers will naturally be in a state of anxiety, and attacks that pose as SVB or an entity connected to them “manipulate them further to increase the likelihood that they make a mistake and fall victim to the attack,” Jack Chapman, the vice president of threat intelligence at Egress, wrote in an analysis shared with CyberScoop.
Even employees at companies such as Cloudflare with its sophisticated security posture can fall victim to phishing attempts. Following the Twilio and Okta attacks, Cloudflare had eight employees that clicked on malicious links, and while the consequences were mitigated by the company’s security systems, Prince says no one is immune from getting phished.
“I am hypervigilant around these things,” Prince said, but as phishing attacks are growing increasingly sophisticated, “there are definitely things that I’ve clicked on.”
Phishing attacks require only one mistake to be successful — for one person to click on something or fill out a form that they shouldn’t. And that’s what makes the SVB collapse so attractive to scammers. “Humans are most likely to make mistakes at a time of stress,” Prince said. “If you as a CFO at a company were worried about making payroll then that is obviously incredibly stressful.”