UK customers of the fintech bank Monzo have been targeted by an SMS-based phishing campaign which aims to steal sensitive information from their accounts, according to CityAM.
Before becoming a Monzo account holder, a user must click a ‘golden link’ sent to their email address in order to verify their account, which has been touted as the reason for the attack.
“This is what the phishing threat actors are after,” said cyber security researcher William Thomas, who first discovered the ongoing fraud attack.
Thomas explained on his blog that the fraud begins with an SMS text message appearing to have come from Monzo.
The text then asks the receiver to click the provided link to either confirm their account or reactivate their login.
Once a customer’s email address and password has been collected, the site will then ask for additional information including the customer’s name, PIN and contact number.
Former head of Dorset Police digital forensics Jake Moore told CityAM: “However convincing phishing communications are, they still heavily rely on quick, out of the blue contact that often force people to click on a link before they have time to question what they are doing.
“What makes many campaigns more successful, however, is if there is a way of making those unexpected notifications slightly more expected.
“This is more challenging for attackers but can be completed with extra information usually located in underground marketplaces from previous data leaks or via the help of a rogue insider.
“Therefore, even if an SMS or email is received in a timely manner and from an organisation you are connected with, it is still advised to double check the links attached and the processes involved, especially when dealing with a financial organisation.”