Yesterday, we wrote about an SMS phishing scam that targeted mobile phone users by telling them that a payment hadn’t gone through. The fake SMSes were believable enough, except for the link you were asked to click: (O2): We haven’t received your recent bill payment, please update your details at https://o2.uk.xxxxxxx.com/?o2=2 to avoid additional fees
Yesterday, we wrote about an SMS phishing scam that targeted mobile phone users by telling them that a payment hadn’t gone through.
The fake SMSes were believable enough, except for the link you were asked to click:
(O2): We haven't received your recent bill payment, please update your details at https://o2.uk.xxxxxxx.com/?o2=2 to avoid additional fees
The URL in the text message started with the name of the relevant mobile phone company, to lull you into a false sense of security, but ended in an unrelated scam domain set up as a vehicle for this fraud:
As you can see, clicking through would take you to a convincing facsimile of a real login page, with an HTTPS website name and an “encryption” padlock, with the layout and images ripped off from the real site…
…but with a fake server name in the URL in the address bar.
As you probably know, the idea of a scam like this is to catch you when you’re tired or in a hurry, in the hope that you’ll type in your login details without taking the time to look for telltale signs that the site is a fraudulent clone of the real thing.
Typing in your login data on the fake site exposes your credentials to the crooks because your password is sent to them instead of to your real mobile phone provider.
The crooks will then typically do one or more of these things:
- Try your username and password right away to see if they work. Assume that the crooks will try out the data you just entered immediately.
- Try the same password on other accounts of yours. This is called credential stuffing, and it’s the main reason why you should never use the same password on two different accounts. Even if you have different usernames on other sites, assume that the crooks already know which usernames match up.
- Sell on your password, and any other data you gave away, to other crooks. Assume that any phished data will soon be circulating widely in the cybercriminal underground. Even if the original crooks don’t have a plan to abuse it, someone else surely will.
Could this lead to “instant bank fraud”?
As you can see from the list above, it’s theoretically possible that getting your mobile phone account password hacked might give the crooks a way in (or at least a hint of a way in) to your bank account too, especially if you used the same password on your banking site as elsewhere.
However, if all you did was to click through, realise you were being tricked, and get out of the fraudulent web page right away, without typing in anything at all…
…then you are almost certainly OK.
The crooks may be able to track that you were sucked into the very first stage of the scam because you visited the link – a lot of scams include a tracking code in the link to keep tabs on who clicked and who didn’t, just like legitimate marketing companies do.
But if you just looked at the page and didn’t put in…