Online banking is a dream come true. No trips to the bank, no bureaucracy, and instant access to your money 24/7 from anywhere in the world.
It should come as no surprise that more and more people are migrating to 100% online financial services like Monzo or Revolut. According to estimates, over 5 million customers in the UK have joined the Monzo banking platform since its launch in 2015, and payment platform Revolut boasts 15 million users worldwide.
However, instant access to all your savings from a mobile phone comes with risks, as hackers have specialized in mobile threats in recent years and thrive on people’s lack of focus when they’re on the phone.
According to a report by security researcher William Thomas, cited by BleepingComputer, cybercriminals are actively targeting Monzo and Revolut users right now, trying to gain access to their accounts via SMS text messages that link to fake landing pages impersonating the real deal.
The scam mechanism is simple:
- Users get a text message, allegedly from Monzo, prompting them to click a link to confirm their account, acknowledge a new login or validate a replacement card.
- Clicking the link lands the user on a phishing page made to look authentic and they are prompted for personal information like their email credentials, full name, phone number and Monzo PIN number. Criminals might deploy additional social engineering techniques and stealing bots to acquire information.
- Having stolen the victim’s email and Monzo credentials, criminals generate a golden link and activate the service on their own mobile device, gaining unlimited access to all the money in the account.
While investigating the domains used for the fake Monzo landing pages, Thomas also found similar domains used for Revolut scams, which means a similar attack mechanism is used against Revolut users and possibly other digital bank customers.
So here is what you should do to keep your money and your accounts safe:
- Be wary of any messages urging you to take hasty action.
- Don’t click on links in messages, even if the message seems to come from a trusted source.
- Don’t log in using links in messages.
- Always closely inspect links you get via messages, instant messages or emails — scam links are most often made to resemble legitimate URLs.
- Watch out for spelling mistakes or grammar mistakes that could indicate the message is a scam.
- Don’t give away your credentials to anyone, even law enforcement or bank staff. No one has the right to ask for your credentials.
- Consider running a security solution on your phone. Bitdefender Mobile Security for both Android and IOS can offer you an extra layer of protection by automatically detecting link-based mobile scams and alerting against incoming threats.