The FBI is warning the public that cyber criminals are targeting users of employee self-service websites owned by companies and government services. The cyber criminals are using search engine advertisements to impersonate legitimate websites and steal victim information and funds.
Cyber criminals use fraudulent search engine advertisements to direct users to malicious websites that mimic the legitimate sites in appearance, but steal login credentials and other financial information when the victim logs in. Previously, cyber criminals primarily targeted small business commercial bank accounts in account takeover schemes, but have expanded to target payroll, unemployment programs, and health savings accounts with the goal of stealing money through fraudulent wire transactions or redirecting payments.
Methodology
Cyber criminals use advertisements that imitate legitimate companies to misdirect targets conducting an internet search for a specific website. The fraudulent URL appears at the top of search results and mimics the legitimate business URL with minimal differences, such as a minor misspelling. When targets click on the fraudulent advertisement link, they are redirected to a phishing website that closely mirrors the legitimate website. When the target enters login credentials, the cyber criminal intercepts the credentials.
Cyber criminals use captured credentials to gain full access to the victim's legitimate account and may use social engineering tactics to obtain the victim's token, if multi-factor authentication is enabled. One social engineering tactic involves masquerading as a bank representative while calling the victim and asking for their one-time passcode. The phishing site may also prompt the victim to enter their multifactor token. If a bank account is compromised, cyber criminals can transfer money from the accounts. If an employee payroll account, unemployment account, health savings account, or retirement account is accessed, the cyber criminal can change the direct deposit information and redirect future payments. If cyber criminals gain access to victim personally identifiable information (PII), they can also create new accounts that defraud victims. One indicator that cyber criminals have compromised a victim's financial account is the receipt of thousands of spam emails within a short period of time. Cyber criminals use spam emails to prevent the victim from noticing a legitimate organization's notification of account compromise
Tips to Protect Yourself
While most search engine advertisements are not malicious, it is important to practice caution when accessing a web page through an advertisement.
The FBI recommends individuals take the following precautions:
- Exercise caution when clicking on advertisements. Before clicking on an advertisement, check the URL to make sure the site is authentic. A malicious URL may be similar to the legitimate URL, but with typos. Malicious advertisements may also redirect users to a different website than indicated.
- Type the business's URL directly into an internet browser address bar to access the official website instead of searching for it in a search engine.
- Use an ad blocking extension when performing internet searches. Most internet browsers allow a user to add extensions, including extensions that block advertisements. These ad blockers can be turned on and off within a browser to permit advertisements on certain websites while blocking advertisements on others.
- Use Bookmarks or Favorites for navigating to login websites rather than clicking on Internet search results or advertisements. Multi-factor authentication will not protect you if you land on a fraudulent login page.
- If your account requires multi-factor authorization, be aware that cyber criminals may use social engineering techniques to obtain access to accounts, including calling and pretending to be a bank employee or technical support to obtain a One-Time Passcode.
The FBI recommends businesses take the following precautions:
- Use domain protection services to notify businesses when similar domains are registered to prevent domain spoofing.
- Notify the user immediately via multiple methods (phone, email, text message) when fraudulent wire transactions are detected.
- Educate users about spoofed websites and the importance of confirming destination URLs.
- Educate users about where to find legitimate downloads for programs provided by the business.
Reporting
If you believe you clicked on a fraudulent search engine advertisement, report the fraud to the FBI Internet Crime Complaint Center at www.ic3.gov. Be sure to include transaction information when available. When fraudulent transactions are reported in a timely manner and complete transaction information is provided, the IC3 Recovery Asset Team may be able to assist in freezing hundreds of thousands of dollars for victims of cybercrime, including fraud. It is also important to contact your bank/payroll/health savings organization to request a recall or reversal as soon as you recognize fraud.