Full Report
Instagram ads impersonating financial institutions like Bank of Montreal (BMO) and EQ Bank (Equitable Bank) are being used to target Canadian consumers with phishing scams and investment fraud. Some ads use AI-powered deepfake videos in an attempt to collect your personal information, while others drive traffic to phishing pages. [...]
Analysis Summary
# Incident Report: BMO and EQ Bank Impersonation Scams on Instagram
## Executive Summary
This incident involves a widespread social engineering and phishing campaign where threat actors utilized deceptive advertisements on Instagram, impersonating legitimate financial institutions such as BMO and EQ Bank. The objective was to lure customers into fraudulent activities. The financial institutions, upon discovery, engaged in proactive communication and coordinated with the platform to remove the fraudulent content to mitigate further user impact.
## Incident Details
- **Discovery Date:** Not explicitly stated, but implied shortly before or during the reporting period.
- **Incident Date:** Ongoing campaign utilizing Instagram advertisements.
- **Affected Organization:** BMO (Bank of Montreal) and EQ Bank (customers targeted).
- **Sector:** Financial Services / Banking.
- **Geography:** Not explicitly stated, but implies regions where BMO and EQ Bank operate (e.g., Canada).
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing campaign.
- **Vector:** Paid advertisements appearing on the Instagram platform.
- **Details:** Scammers created high-fidelity ads mimicking the branding and appearance of BMO and EQ Bank promotions.
### Lateral Movement
*Not applicable, as this was a direct phishing/social engineering campaign targeting end-users, not an IT network intrusion.*
### Data Exfiltration/Impact
- **Data Stolen/Impact:** Financial credentials, personal information, and money potentially stolen from users who interacted with the fraudulent links/forms and provided information.
### Detection & Response
- **Detection:** The financial institutions (specifically EQ Bank) became aware of the fraudulent ad campaign.
- **Response Actions:** EQ Bank confirmed awareness and is working proactively with social media platforms to take down the fraudulent ads. They also issued direct communications to their customer base urging caution.
## Attack Methodology
- **Initial Access:** Social media advertising fraud (running deceptive paid ads).
- **Persistence:** Continuous deployment of new fraudulent ads if older ones are removed.
- **Privilege Escalation:** *Not applicable.*
- **Defense Evasion:** Using high-fidelity branding to bypass initial user skepticism.
- **Credential Access:** Luring users to phishing sites/forms via the advertised links.
- **Discovery:** *Not applicable.*
- **Lateral Movement:** *Not applicable.*
- **Collection:** Collecting user data entered into the scam links/forms.
- **Exfiltration:** Stealing credentials or financial details entered by victims.
- **Impact:** Financial fraud targeting bank customers.
## Impact Assessment
- **Financial:** Potential direct financial loss for victims, costs associated with remediation and communication for the banks.
- **Data Breach:** Potential exposure of sensitive customer credentials and personal data from victims.
- **Operational:** Minor operational overhead for the banks responding to the security threat and notifying customers.
- **Reputational:** Risk to the reputation of BMO and EQ Bank due to brand impersonation and perceived security failures on the advertising platform.
## Indicators of Compromise
- **Network Indicators:** Malicious URLs/links embedded in Instagram ads (Specific URLs not disclosed/defanged).
- **File Indicators:** *Not applicable (no malware deployment noted).*
- **Behavioral Indicators:** Social media advertisements impersonating regulated financial entities promising deals or promotions.
## Response Actions
- **Containment Measures:** BMO and EQ Bank actively collaborating with the social media platform(s) to identify and remove the fraudulent ads.
- **Eradication Steps:** Platform-level removal of the deceptive advertising content.
- **Recovery Actions:** Issuing security advisories and direct communication to customers to exercise elevated caution.
## Lessons Learned
- **Key Takeaways:** Threat actors are increasingly utilizing sophisticated, high-fidelity social media advertising platforms as a primary vector for financial phishing scams. Financial institutions must implement proactive monitoring for brand impersonation across major advertising platforms.
- **What could have been done better:** Platforms need better automated detection to flag impersonation ads immediately, even when they leverage legitimate brand names.
## Recommendations
- **Prevention Measures for Similar Incidents:**
1. **Customer Education:** Continuously advise customers to verify all promotions by navigating directly to official bank websites or using official, verified contact channels rather than clicking on ads.
2. **Platform Vigilance:** Banks and organizations should maintain active, automated monitoring for their brand names used in paid advertising across major platforms like Instagram and Facebook.
3. **Verification Emphasis:** Users must verify that landing pages associated with ads use official domains, even if the ad itself appears professionally presented and bears a verified badge (if applicable). If an offer seems "too good to be true," it should be treated with extreme suspicion.