While many financial institutions have a presence on social media, not all content that appears to be legitimate and trustworthy actually is. Scammers are posting ads on Instagram impersonating Canadian banks, including Bank of Montreal and EQ Bank, in phishing campaigns.
An investigation from Bleeping Computer found a series of fake ad posts on Instagram that directed users to phishing websites that collect login credentials as well as stories impersonating a well-known bank strategist that harvests contact information.
How scammers are impersonating banks on Instagram
These Instagram phishing scams have taken a couple of forms. In one, fraudsters are using what looks like official bank branding in static ad posts with promises of high interest yields on savings accounts. If users click through to learn more or apply, they are directed to a fake website and prompted to enter their account credentials. While the page looks legit, the URL clearly is not linked to EQ Bank’s actual domain.
Another version of this scam involves fake ads and AI deepfake videos impersonating Brian Belski, Bank of Montreal’s chief investment strategist. The “BMO Belski” ads show up in Instagram stories with screening questions like “How long have you been investing in stocks?” Upon answering, the user is prompted to submit their contact information to the advertiser. The videos direct users to private “investment groups” on WhatsApp.
The latter is an iteration of a fraud campaign I covered recently: Ads on Facebook that appear to be affiliated with prominent investors like ARK Investment Management’s Cathie Wood, CNBC’s Joe Kernan, and Fundstrat’s Tom Lee and lead users to group chats on WhatsApp, where they get sucked into pump-and-dump schemes. Obviously, the investors shown aren’t actually endorsing the ads or the advice, but an unsuspecting user may believe they are getting credible information from trusted sources.
As Bleeping Computer points out, the accounts behind the BMO Belski ads exist only on Facebook—Meta Business Manager allows Facebook pages to run Instagram ads without having an Instagram account. If you click through to the BMO Belski Facebook page, there are signs that the account is repurposing an existing page with an older creation date and established following (albeit only two posts), potentially giving it more credibility to the casual observer.
What do you think so far?
How to avoid bank impersonation scams
These fraudulent ads may be increasingly difficult to suss out thanks to the use of stolen brand assets and AI-generated videos that, as we’ve covered, are as believable as we want them to be.
Always have a critical eye on social media content that appears to come from a legitimate entity or well-known individual. Investors (trustworthy ones, anyway) and celebrities are typically not giving too-good-to-be-true finance tips on Instagram and Facebook or in WhatsApp chats.
Credible Instagram accounts have a “verified” badge, but you should still be wary of entering credentials on a site you’ve clicked to from an ad. You’re better off going directly to an organization’s official account page or website and logging in from there to verify any online promotions. Ads on social media are used for spreading malware—another reason not to engage with them.