Scammers often pose as well-known companies: online movie theaters, job hunting services, internet stores and so on. This time, phishers are targeting customers of Wells Fargo, one of the four largest US banks, providing services in more than 40 countries. Counting on the bank’s trustworthiness, the cybercriminals are not limiting themselves to stealing bank card details, but going after e-mail accounts and selfies with ID card, too.

Phishing attack on Wells Fargo customers

As ever, the attack starts with a phishing e-mail designed to alarm the recipient. It informs the user that their Wells Fargo bank account has been blocked, allegedly due to an unverified e-mail address or a mistake in their home address. To regain access, the message asks the recipient to follow the link and verify their identity within 24 hours of receiving the notification. Otherwise, it will no longer be possible to transfer or withdraw money, the letter warns.

The e-mail looks quite convincing: a neat logo element, business-style text and almost no errors. Even the sender’s name and address are very similar to those of the bank’s customer service. Yet, the address does have a very unusual domain in the non-existent zone “wellsfargo-com” (instead of the usual .com). But it takes a sharp eye to spot it.

Phishing e-mail seemingly from Wells Fargo

The link in the e-mail points to a third-party site, and from there, via a redirect, to a fake Wells Fargo account login page. Here the phishers made less of an effort: the design does not match that of the official page, and the URL has nothing to do with the bank at all, but for some reason references either the Bruce Springsteen song The Ties That Bind or the TV series of the same name.

On the very first page, the victim is prompted to enter their Wells Fargo account username and password. But that’s only the beginning — two more “verification” stages lie ahead.

Phishing site imitating Wells Fargo

Having signed in, the victim lands on the next page, where the number of fields to fill out is now much higher. Here the scammers brazenly ask for an e-mail address with password (!), a phone number with postal address, a date of birth and a social security number (SSN). And, of course, payment details: aside from a bank card number and expiration date, they also ask to fill in the CVV code on the back, plus PIN.

Form for entering personal data on the phishing site

Next comes the most interesting part: the user is prompted to upload a selfie with an ID document. This page displays no fewer than three Wells Fargo logos, probably to add credibility. However, the typos somewhat spoil the impression.

The victim is asked to upload a photo with ID document

Having extracted all vital data from the victim, the scammers report that the account has been successfully restored and redirect said victim to the real Wells Fargo website. This maneuver is designed to make them believe they have been on the legitimate resource all the time.

Account “recovery” and redirection to the official Wells Fargo site

What the stolen data can be used for

Typically, this kind of phishing is used to build up a massive database for subsequent sale on the dark web. The merchandise is valuable: armed with such a treasure trove of personal data, criminals can siphon off money from the victim’s card. But it doesn’t stop there: with a dataset like this they can also enrich themselves in other ways on the victim’s expense. For example, by opening a bank or crypto exchange account to launder stolen funds, obtain a credit card, and so on. With an ID card selfie and SSN, attackers have every chance of passing the KYC (Know Your Customer) security check required for such transactions.

As such, after entering the data, probably nothing will happen at first; only later will the troubles arrive. This may pose an additional danger: by the time the cybercriminals start using the stolen data, the user will likely no longer remember having entered their personal data somewhere, making it much harder for them to give the bank representatives or the police officers a proper explanation.

How to avoid falling victim to bank phishing

Here are some tips on how to avoid becoming a victim of phishing schemes that involve banking accounts.

Look carefully at unexpected e-mails about account suspensions, suspicious charges, odd purchases and generous giveaways: they are nearly always fake. We’ve explained recently why such e-mails are most likely a scam and how to spot fraud.
Do not follow links in e-mails to bank websites. Better to enter the URL of the official site manually, or find it on Google, Bing or another reliable search engine.
Remember that, as a rule, full personal information and selfie with ID card are not required to recover a bank account. And you certainly don’t have to enter the CVV code from the back of your card, let alone your PIN! If you are asked for this, be very wary and contact the bank for confirmation by calling the phone number printed on your card.
If you are a Wells Fargo customer and get a phishing e-mail, report it to your bank immediately so they can take measures and protect other users. See here for contact details.
Install a reliable security solution that warns you about scams and phishing attempts and keeps your valuable data safe from cybercriminals.