Yesterday we wrote about SMS fraud, which targeted mobile phone users and told them that the payment had failed.
The fake text messages were quite plausible, except for the link you had to click on:
(O2) : We have not received payment for your last invoice. Please update your data on https://o2.uk.xxxxxxx.com/?o2=2 to avoid extra costs.
The URL of the SMS starts with the name of the relevant mobile phone company to soothe you in a false sense of security, but ends with a domain that is not related to this scam and was created to commit it :
As you can see, with a mouse click you get a convincing fax with a real login page, with the name of the HTTPS site and an encrypted padlock, with layouts and images disconnected from the real site .
…but with a fake server name in the URL in the address bar.
As you probably know, the idea of this scam is to catch you when you’re tired or in a hurry, hoping to enter your login details without wasting time looking for signs that the site is a fraudulent clone of the real thing.
By entering your credentials on a fake website, you expose yourself to the risk of fraud because your password is sent by them and not by your real service provider.
Fraudsters usually do one or more of these things:
- Try entering your username and password right away to see if they work. Suppose the crooks immediately try to use the data you just entered.
- Try the same password for your other accounts. This is called account stuffing and is the main reason why you should never use the same password for two different accounts. Even if you have other usernames on other websites, we assume that fraudsters already know which usernames match.
- Sell your password and any other information you have given to other crooks. Let’s assume that in the near future all phishing data will be widely available in cybercriminals’ hiding places. Even if the original crooks don’t intend to take advantage of it, someone else will.
Could it lead to immediate bank fraud?
As you can see from the list above, it is theoretically possible that cracking your mobile phone password will allow fraudsters to infiltrate your bank account (or at least a hint of it), especially if you use the same password on your banking page as elsewhere.
However, if you have just browsed the site, you will realize that you have been cheated and you will leave the fraudulent site without typing anything.
…you’ll almost certainly get away with it.
Fraudsters can track you to the very first step of a scam because you’ve visited a link – many fraudsters insert a tracking code into the link to find out who clicked the link and who didn’t, just like legitimate marketing companies do.
But if you just looked at the site and didn’t enter your password, you got out in time and there’s no reason to assume that you could be the victim of immediate bank fraud.
When fraud becomes fraud
Unfortunately, you may have heard differently on social networking sites.
There are people – often well-intentioned, but sometimes seemingly jokers or troublemakers – who accept and exaggerate phishing scams like the ones we’ve just described in the hoaxes they spread on social networks.
It seems to have happened this week.
One of the most sought-after articles this week on naked security is an article we wrote in March 2020 entitled Instant Banking Fraud, the distribution of WhatsApp alerts is fraud:
The bad news is that this joke reappears against the background of the aforementioned SMS scam and seems to have been sent in abundance to WhatsApp and elsewhere, as determined by the British government’s anti-fraud team:
We are aware of a rumor going around about WhatsApp, SMS and social networks, which @CityPoliceFraud mentions and claims that the bank’s customers are scammers by #smishing.
The content of this message is incorrect. pic.twitter.com/eLVM4tnYi
– Fraud (@actionfrauduk) 10. November 2020
Directly from the City of London anti-fraud team, a highly complex fraud involving all banks. You will receive a message that the payment has not been accepted. As soon as you touch it, your money disappears.[…]
Can you give this to everyone? Thousands fly out of people’s accounts! Tell your family and friends!
As you can see, the above message has a thin layer that is not exactly a possible technical theory, namely that simply browsing a fraudulent site can somehow implant malware on your computer, and that this malware is somehow targeted at your bank password.
But malware that only gets infected by browsing a mined website is very rare nowadays. Even if this were to happen to you, malicious software might immediately discover your bank password, log into your account and merge your account immediately.
…well, that’s very unlikely.
In fact, it is so unlikely, and it would be so dramatic, that if that were the case, it is reasonable to assume that cybersecurity sites and banks around the world would provide very detailed information about it, explain how it works, and advise you on what to do.
Coaxies life long
This time some minor changes have been made to the original version of the drawing, such as the addition of new names of mobile operators, but otherwise the new version of the drawing is almost identical to the one we wrote in March 2020, with the same fake details.
Again, the scam deliberately, but not sincerely, claims its legitimacy and insists from the outset that the source of information was the London police anti-fraud team.
Although the municipal police had already twittered that they had not issued such warnings, the mere mention of the official law in the preamble to the text gave this deception a climate of confidence that it did not deserve.
What should I do?
- Don’t share discredited stories online with a messaging application or social networking site. Do your homework. For the time being, there are enough fake messages without adding them.
- Don’t be fooled by your claims to power. Anyone can write to the police, but they won’t tell you anything useful. In this deception, the police actually announced that they hadn’t.
- Don’t use excuses, better safe than sorry. Many people pass on false messages with better intentions and think that if they turn out to be true, they would like to share them, but if they turn out to be false, no harm will be done. But you can’t make someone safer by protecting them from something that doesn’t exist or by giving them advice that gives them a false sense of security.
Yes, you must choose the correct passwords; yes, you must use 2FA, especially for email or bank access; no, you must never use the same password twice; and no, you must never login to the login page where you clicked on a link in an SMS or email.
But the real lesson is that we all have to do our best to prevent these false messages from getting what they don’t deserve.
We owe it to our friends and family members to ensure that they are not involved in monitoring cybersecurity attacks that do not take place, so that they have time to take action against these attacks.
In this case, you should tell your family and friends NOT to talk about it!