SVB
Image: Focal Foto via Flickr/The Record

Experts warn of scams tied to Silicon Valley Bank collapse

Scammers are taking advantage of the chaos created by the recent collapse of Silicon Valley Bank, cybersecurity experts warn.

SVB was the 16th-largest bank in the United States before a run on its deposits forced the California Department of Financial Protection and Innovation to seize the bank on March 10. New York regulators then closed Signature Bank two days later due to an increase in withdrawals.

Cybersecurity experts are already seeing a range of scams exploiting the crisis, which has acutely affected tech companies. Researchers from Proofpoint wrote on Twitter that they have seen scammers send malicious emails related to a cryptocurrency company affected by SVB’s collapse.

The emails center on Circle – the company behind the U.S. dollar-pegged cryptocurrency USDC. After SVB’s collapse, Circle announced it had cash reserves in SVB, prompting scammers to start sending emails spoofing the company and telling victims they could redeem the cryptocurrency.

Sent through malicious accounts on SendGrid, a marketing communications service, the emails contain links to a platform that would ultimately steal the contents of a victim’s cryptocurrency wallet.

JupiterOne Chief Information Security Officer Sounil Yu told The Record that the SVB situation also creates a “tremendous opportunity” for attackers to launch fraudulent business email compromise (BEC) and vendor email compromise attacks – where an attacker impersonates a third-party vendor – to convince finance teams to switch banking details over to an attacker-controlled account.

“Given SVB's breadth of exposure across the startup ecosystem, we should expect to see many finance teams receiving an unusually high number of updates about new banking relationships and wire instructions,” Yu said.

“Attackers are likely to indiscriminately impersonate vendors regardless of whether the vendor previously banked with SVB or not. As such, finance teams will need to be extra diligent to confirm that the updated details of any of their vendors are indeed correct.”

Also of concern among cybersecurity experts are spoofed websites involving SVB.

Flashpoint senior intelligence analyst Ashley Allocca said on March 11 – the day after SVB’s collapse – that at least 16 new domains with the acronym “svb” were registered, like login-svb[.]com and svbbailout[.]com.

“It is entirely possible not all of these domains will be leveraged for malicious purposes, but it is clear in the case of login-svb[.]com that that page will likely resolve to a login page for SVB affiliates, malicious or otherwise,” she said.

Allocca added that registered domains connected to the bank’s competitors have also been popping up, including for Revolut, a British-Lithuanian financial services company.

“This may portend social engineering attacks with themes of transferring a financial relationship from one bank to another,” she said.

Business email compromise attacks

Snehal Antani, CEO of cybersecurity firm Horizon3.ai, said his company was personally affected by SVB’s collapse. He was forced to loan $1 million of his own money on Friday morning so the company could make payroll while it waits for word on what federal regulators will do about SVB deposits.

He was able to avoid furloughing employees but noted that many tech founders are not in the position to loan money to their startups.

The panic caused by SVB’s collapse makes it ripe for a BEC scam opportunity, he noted.

“With SVB, massive amounts of money are being wired into new accounts that are being setup. The new account details are being sent around as PDF’s, and the recipients are operating with urgency to get money transferred ASAP,” he explained.

Antani added that vendors are now scrambling to update their payment details via email for their customers, meaning new receivables are being sent to their new bank account versus their now-defunct SVB account.

“These are the perfect conditions for attackers to make a quick several million dollars (and perhaps much more!)” he said. “When an attacker has achieved Business Email Compromise, they are in a position where they can read/send emails for one or many users.”

Attackers are smart enough to figure out who within the organization is likely to send or receive wire transfer requests and other information, he said.

Hackers sit and wait for those types of emails to come through, eventually redirecting wire instructions to criminal-controlled bank accounts. If funds are sent to the wrong place, Antani said, it is very difficult to recover them.

Expel CISO Greg Notch urged companies to avoid making account changes over email and to validate any changes with known contacts if possible. Notch also said companies should do test deposits of nominal value so receipts can be confirmed.

He noted that BEC accounted for over half of all incidents for their customers last year.

An FBI report released last week said the agency received 21,832 BEC complaints with adjusted losses of over $2.7 billion in 2022.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.