Phishing

Capital One Phishing Campaign Exploits Authentication App

Natalie Petitto

September 22, 2022

9 min

A new phishing campaign impersonating Capital One attempts to steal personal identities rather than account credentials. First detected by Vade in early July, the ongoing phishing campaign exploits Capital One’s recent partnership with Authentify, an online verification service that enables financial institutions to verify their customer’s identities to other institutions, such as lenders, when prompted by users.

The phishing email includes the subject line “REMINDER: Your attention is required!” The body text introduces the Authentify service and urges the user to provide a copy of their photo ID to enroll in the service. Neglecting to do so, the email says, will result in account restrictions.

Capital One Authentify Phishing

Capital One/Authentify phishing email

The email was sent from a corporate email address, likely compromised, with the display name “Capital One.” But as you can see from the below email header, the email was sent from an IP address in India.

Capital One Authentify Phishing 1

Sender’s IP address

The phishing link is a legitimate-looking URL that includes both Capital One and Authentify in the text; however, this is only display text and not the real URL, as the display URL returns a Capital One error page in a browser.

Capital One Authentify Phishing 2Capital One error page

The real phishing link directs to a compromised WordPress website impersonating Capital One. The user is then taken through two webpages to upload the front and back of their state-issued ID.

Capital One Authentify Phishing 3

Capital One phishing page 1

Capital One Authentify Phishing 4

Capital One phishing page 2

The Capital One phishing campaign began on July 1, with email volumes reaching up to 6,000 in one day.

Capital One Authentify Phishing 5

Capital One phishing email volumes

Public partnerships create opportunities for phishers and headaches for brands

Authentify announced its collaboration with Capital One and six other financial institutions on April 4, 2022. According to the April press release, While on a participating business' website or app, consumers can choose to be redirected to log into their online or mobile banking experience. The consumer can then share their bank-trusted data with that company, helping them streamline their identity verification process.”

Other Authentify collaborators include Bank of America, PNC Bank, Truist, U.S. Bank, and Wells Fargo. Like other highly publicized partnerships, the Capital One/Authentify collaboration piqued interest from phishers, who are known to pay attention to the news cycle.

The collaboration created an opportunity for creative cybercriminals to exploit both brands. Vade has observed similar phishing campaigns coming on the heels of other brand partnerships. Financial services brands in particular are highly desirable to phishers.

As you can see in the below chart, our recent Phishers’ Favorites report revealed that financial services brands were impersonated more than any other in H1 2022, with 34% of all phishing URLs impersonating financial institutions.

Capital One Authentify Phishing  6We anticipate this trend to continue and urge users to be suspicious of both emails from financial institutions and also third-party applications associated with those institutions. Always operate under the assumption that both can be spoofed and always log in to accounts directly from a browser or application and not from email.