Skip to content

How Threat Actors Are Preying on Silicon Valley Bank Collapse

  • Introducing the "Threat Actor"
  • Threat Actors respond to news trends and resultant anxiety
  • The fall of Silicon Valley Bank is the newest boon for Threat Actors

The Cloudflare Blog takes a look at the activities of a specific category of fraudster, the Threat Actor, in relationship to news events like the collapse and takeover by the US Federal Government of Silicon Valley Bank (SVB):

Unfortunately, where everyone sees a tragic situation, threat actors see opportunity. We have seen this time and again - in order to breach trust and trick unsuspecting victims, threat actors overwhelmingly use topical events as lures. These follow the news cycle or known high profile events (The Super Bowl, March Madness, Tax Day, Black Friday sales, COVID-19, and on and on), since there is a greater likelihood of users falling for messages referencing what’s top of mind at any given moment.

2 - Check Fraud Hacker - Fraudster

Cloudflare warns that the SVB news cycle makes for a similarly compelling topical event that threat actors will embrace and exploit. Further, "it's crucial that organizations bolster their awareness campaigns and technical controls to help counter the eventual use of these tactics in upcoming attacks," noting the tragic irony that "even as the FDIC is guaranteeing that SVB customers’ money is safe, bad actors are attempting to steal that very money!"

Taking Action Before Attacks

Cloudforce One, Cloudflare’s threat operations and research team, significantly increased their brand monitoring focused on SVB’s digital presence starting March 10, 2023 and, as they report, "launched several additional detection modules to spot SVB-themed phishing campaigns." They offer an example of a real campaign involving SVB that’s happening since the bank was taken over by the FDIC.

A frequent tactic used by threat actors is to mimic ongoing KYC (Know Your Customer) efforts that banks routinely perform to validate details about their clients. This is intended to protect financial institutions against fraud, money laundering and financial crime, amongst other things.

On March 14, 2023, Cloudflare detected a large KYC phishing campaign leveraging the SVB brand in a DocuSign themed template. This campaign targeted Cloudflare and almost all industry verticals. Within the first few hours of the campaign, we detected 79 examples targeting different individuals in multiple organizations. Cloudflare is publishing one specific example of this campaign along with the tactics and observables seen to help customers be aware and vigilant of this activity.

SVB Email reduced-01

Source: INKY

INKY, a computer security service focused on emails, explains the scam in detail:

Email recipients are told that the “KYC Refresh Team” sent two documents (KYC Form.docx & Change of Contact.docx) that require a signature. “KYC” is a banking term that stands for “Know Your Customer” or “Know Your Client”. It’s a mandatory process banks use to verify an account holder’s identity. Of course, in this case, the phisher is using it to convey a sense of legitimacy to its intended victims.

These phishing sites look identical to the real Microsoft login page. However, any data submitted will be sent to the bad actors behind this scheme. Once they have them, cybercriminals can use your harvested credentials in a number of ways including gaining access to anything from bank records to employer files, using your email to trick those close to you into surrendering important company data or banking access. Or, your credentials can be sold on the dark web.

Fraudsters Pouncing Quickly on SVB Spoofed Domains

American Banker reports that The Internet Storm Center, a group that monitors malicious internet activity, issued a warning on Monday that domain registrations containing "SVB" were up significantly. An incredible 70 new domain registrations matching "that description"SVB" or variations came into existence up over the weekend, compared to fewer than 30 over the previous two weeks.

Click the image above to enlarge

Source: Silent Push

Not all of those newly created websites are outright scams, the center said, but for every one that isn't, there is likely another scam site that does not contain "SVB" but impersonates Signature Bank or another entity that has been in headlines this week. Fake mobile apps are yet another threat.

For cybersecurity experts, this flood of potential scams is hardly a surprise. Any big news creates an opportunity for fraudsters to spin a new narrative in a phishing campaign, and fraudsters have a playbook they can follow to take advantage.

"There is a blueprint when something like this happens, and it often kicks off with registration of new domains," said Ashley Allocca, senior intelligence analyst for threat intelligence company Flashpoint.

Response Needed by the Banking Industry

Banks need to take a proactive approach to ensure their customers do not fall victim to these scams. There are many individuals and businesses that utilize more than one bank -- which could include SVB. Sending out communications and posting information and details on these scams can better protect their customers.

These scams can lead to a plethora of further fraud activity, including account takeover, identity theft, and even check fraud. Remember, once a person has banking information, there is no limit to what a fraudster can do.

Check fraud represents an easy target, as the fraudsters can generate counterfeit checks at alarming speeds to deposit into newly established accounts using stolen information. Banks need to ensure that there are additional verification steps on new accounts or account sign-ins, along with technology to monitor transactions, including the behavior of the accounts and the individual transactions -- particularly image analysis of checks.


With new scams popping up left and right, banks must cover all bases. Image forensic AI complements transactional analytics systems to ensure that payment are legitimate -- identifying whether a check payment is a counterfeit, forgery, or alteration. As more individuals fall into the crosshairs of these scams, banks can be the line of defense preventing lost funds for their customers.

Leave a Comment