Cybersecurity researchers at Vade Secure SASU today detailed a new phishing campaign that impersonates Capital One Financial Corp. in an attempt to steal personal identities rather than simply account credentials.

First detected in July, the ongoing phishing campaign exploits Capital One’s partnership with Authentify Inc. to verify customer identities. The phishing email leads with a subject line of “REMINDER: Your attention is required.”

That’s followed by a Capital One logo and text that introduces the Authentify service and urges users to provide a copy of their photo IDs to enroll in the service. In a prompt to get victims to share their IDs, the email claims that if they neglect to provide the information, their accounts will be restricted.

The emails used in the phishing campaign are sent from a corporate address, one the researchers note is likely compromised, with the display name of Capital One. However, digging deeper into the emails shows that they were sent from an IP address in India.

The email link is described as “legitimate-looking” and includes both Capital One and Authentify in the text, but the link is only displayed and isn’t the actual URL. The real phishing link goes to a compromised WordPress website that impersonates Capital One with pages to upload the front and back end of the victims’ IDs.

The researchers note that those behind the phishing attack are specifically targeting the Authentify partnership with Capital One that was only launched on April 4 with six other financial institutions. Other Authentify collaborators include Bank of America Corp., PNC Financial Services Group Inc., Truist Financial Corp., U.S. Bank and Wells Fargo & Co.

“The collaboration created an opportunity for creative cybercriminals to exploit both brands,” the researchers explain. “Vade has observed similar phishing campaigns coming on the heels of other brand partnerships” and “financial services brands, in particular, are highly desirable to phishers.”

The researchers anticipate the trend of targeting partnerships such as those between Capital One and Authentify to continue and urge users to be suspicious of emails from financial institutions and also third-party applications associated with those institutions. “Always operate under the assumption that both can be spoofed and always log in to accounts directly from a browser or application and not from email,” they note.

The news of the campaign comes after the U.S. Office of the Comptroller of the Currency released Capital One from a consent order put in place after the bank was hacked in 2019.  The hack, which saw more than 100 million customer accounts compromised, was undertaken by former Amazon Web Services Inc. employee Paige A. Thompson, who was convicted in June of hacking the bank.

Photo: Tdorante10/Wikimedia Commons