UK customers of all-digital bank Monzo are being targeted with an SMS-based phishing campaign, aiming to steal sensitive information from their accounts, according to various reports this morning, including Computing magazine.
One of the most important aspects of creating a Monzo account is verifying a customer’s device, normally done through a ‘golden link’ sent to the user’s email address.
“This is what the phishing threat actors are after,” said cyber security researcher William Thomas, who first uncovered the ongoing phishing campaign.
Thomas explained on his blog that the fraud begins with an SMS text message appearing to have come from Monzo.
It asks the receiver to click the provided link to either confirm their account or reactivate their login.
After collecting both their email address and password, the website asks for additional information such as the victim’s name, Monzo PIN and contact number.
Discussing the attack with City A.M. this morning, Jake Moore, the former Head of Digital Forensics at Dorset Police who is now the Global Cybersecurity Advisor at ESET, said that “however convincing phishing communications are, they still heavily rely on quick, out of the blue contact that often force people to click on a link before they have time to question what they are doing.”
“What makes many campaigns more successful, however, is if there is a way of making those unexpected notifications slightly more expected,” Moore explained.
“This is more challenging for attackers but can be completed with extra information usually located in underground marketplaces from previous data leaks or via the help of a rogue insider.”
“Therefore, even if an SMS or email is received in a timely manner and from an organisation you are connected with, it is still advised to double check the links attached and the processes involved, especially when dealing with a financial organisation,” Moore concluded.