New phishing scam impersonating Chase bank asks for sensitive data including selfies

• A new phishing scam pretending to be from Chase bank targets customers’ PII, login credentials, banking details, as well as selfies.
• This way, the scammers have collected all the details right from basic details and credentials such as Chase account login credentials, email credentials, names, dates of birth, addresses, phone numbers, to sensitive information such as payment card details, Social Security Numbers, ATM pin numbers, driving license numbers, selfies, and ID cards.

What is the issue - A new phishing scam pretending to be from Chase bank targets customers’ PII, login credentials, banking details, as well as selfies.

The big picture

Researchers from MalwareHunterTeam uncovered the legitimate-looking Chase bank phishing site.

• The phishing site opens a login form that asks customers to enter their credentials in order to log in to their Chase online accounts.
• Upon entering the login credentials, the page throws a message stating that you cannot access your Chase account.
• It then asks customers to verify their account by updating their information.
• Upon clicking the ‘Continue to Chase’ button to verify their account, users are redirected to a page where it asks them to synchronize their Chase account with their email by proving their email addresses and passwords.
• Upon providing the email credentials and clicking ‘Next’, it opens another form which asks users to update their billing address by entering information such as full name, date of birth, address, and phone number.
• The next form asks for bank account details such as payment card number, expiration date, CVV number, Social Security Number, ATM pin number, mother’s maiden name, and driving license number.
• Finally, it asks users to upload their selfies holding their ID cards along with both sides of their driver license or ID cards.

Worth noting - This way, the scammers have collected all the details right from basic details and credentials such as Chase account login credentials, email credentials, names, dates of birth, addresses, phone numbers, to sensitive information such as payment card details, Social Security Numbers, ATM pin numbers, driving license numbers, selfies, and ID cards.

The bottom line - These kinds of information can be used to create new accounts under the victims’ names or can be used to access the victims’ online cryptocurrency accounts.

To avoid falling prey to such scams, it is always best to check the site’s URL in the browser's address bar before submitting any sensitive or personal information to the site. For instance, this Chase bank phishing site was using the URL chasexxxx[.]ddns[.]net, which is actually not the official Chase bank’s URL.