Marks & Spencer shoppers are being targeted by hackers posing as the company’s chief executive Steve Rowe.
M&S says it is “investigating” fraudulent adverts which were shared widely across Facebook offering a £35 gift voucher in exchange for their personal and financial details.
The adverts, first discovered by Parliament Street’s cyber research team, feature a photo of a man (who is not Steve Rowe), with text encouraging them to share and comment on the post.
“Hello everyone, my name is Steve Rowe and I am the CEO of Marks and Spencer!”, the advert reads.
“I’ve an announcement to make – To celebrate our 135th Anniversary, we are giving EVERYONE who shares & then comments by 11.59pm tonight one of these mystery bags containing a £35 M&S voucher plus goodies!”
— Shazza (@bouffant1) October 18, 2020
Users are then encouraged to follow a URL which takes them to a M&S branded page and asks them for their name, address, phone number, bank account number and sort code.
While the number of people who may have fallen victim to the scam are unknown, around 150 people have reported it so far, while the retailer says it has “been made aware” and its colleagues are “investigating further”.
“It is unsurprising to see the CEO impersonated, as from our analysis CEOs are currently the most targeted candidates for impersonation in these ‘project-related’ impersonation attacks and this is likely to remain so,” head of threat intelligence analysis at Mimecast Phil Hay said.
“Our research has shown that 36.4 % of IT professionals surveyed in the UK say their organisation’s CEO is the most targeted exec within their organisation.
“Additionally, variations or further development of this type of tactic is also likely to include impersonation of other key and senior personnel within organisations, in an attempt to induce compliance with the instructions given. The public must be aware of these attacks and do their due diligence before entering personal information.”