“Instant bank fraud” hoax is back – don’t spread fake news!

Yesterday, we wrote about an SMS phishing scam that targeted mobile phone users by telling them that a payment hadn’t gone through.

The fake SMSes were believable enough, except for the link you were asked to click:

(O2): We haven't received your recent bill payment, please update your details at https://o2.uk.xxxxxxx.com/?o2=2 to avoid additional fees

The URL in the text message started with the name of the relevant mobile phone company, to lull you into a false sense of security, but ended in an unrelated scam domain set up as a vehicle for this fraud:

As you can see, clicking through would take you to a convincing facsimile of a real login page, with an HTTPS website name and an “encryption” padlock, with the layout and images ripped off from the real site…

…but with a fake server name in the URL in the address bar.

As you probably know, the idea of a scam like this is to catch you when you’re tired or in a hurry, in the hope that you’ll type in your login details without taking the time to look for telltale signs that the site is a fraudulent clone of the real thing.

Typing in your login data on the fake site exposes your credentials to the crooks because your password is sent to them instead of to your real mobile phone provider.

The crooks will then typically do one or more of these things:

  • Try your username and password right away to see if they work. Assume that the crooks will try out the data you just entered immediately.
  • Try the same password on other accounts of yours. This is called credential stuffing, and it’s the main reason why you should never use the same password on two different accounts. Even if you have different usernames on other sites, assume that the crooks already know which usernames match up.
  • Sell on your password, and any other data you gave away, to other crooks. Assume that any phished data will soon be circulating widely in the cybercriminal underground. Even if the original crooks don’t have a plan to abuse it, someone else surely will.

Could this lead to “instant bank fraud”?

As you can see from the list above, it’s theoretically possible that getting your mobile phone account password hacked might give the crooks a way in (or at least a hint of a way in) to your bank account too, especially if you used the same password on your banking site as elsewhere.

However, if all you did was to click through, realise you were being tricked, and get out of the fraudulent web page right away, without typing in anything at all…

…then you are almost certainly OK.

The crooks may be able to track that you were sucked into the very first stage of the scam because you visited the link – a lot of scams include a tracking code in the link to keep tabs on who clicked and who didn’t, just like legitimate marketing companies do.

But if you just looked at the page and didn’t put in your password, then you got out in time, and there is little reason to think that you could be the victim of “instant bank fraud” as a result.

When scams become hoaxes

Sadly, you may have heard otherwise via social media.

There are people out there – often they’re well-meaning individuals, but sometimes they seem to be pranksters or troublemakers – who will take phishing scams like the one just described and exaggerate them into hoaxes that they share on social networks.

That’s what seems to have happened this week.

One of the most searched-for articles on Naked Security this week has been one we wrote about back in March 2020, entitled “Instant bank fraud” warning spread on WhatsApp is a hoax:

The bad news is that this hoax has returned, apparently on the back of the SMS scam messages we mentioned above, and it seems to be getting forwarded plentifully on WhatsApp and elsewhere, as noted by the UK government’s Action Fraud team:

Straight from the City of London fraud team - Extremely sophisticated scam going about, involving all banks. You get a message saying a payment hasn't been taken. [...] As soon as you touch it your money is gone.


Pass this on to everyone please. [...] Thousands flying out of peoples accounts! Spread the word to your family and friends!

As you can see, there’s a thin veneer of not-entirely-impossible technical theory in the above message, namely that just viewing a scam page might somehow implant malware on your computer and that this malware might somehow target your banking password.

But malware infections merely from viewing a booby-trapped web page are very rare these days, and even if this happened to you, the chance that any malware would instantly be able not only to figure out your banking password and login to your account but also to drain your account in one go…

…well, that’s extremely unlikely.

In fact, it’s so unlikely, and would be so dramatic, that if it were to happen it’s reasonable to assume that cybersecurity websites and banks everywhere would be proclaiming it in great detail, explaining how it worked, and advising you on what to do.

Hoaxes live long lives

This time, there are some tiny alterations to the original hoax, such as adding more mobile phone providers’ names, but otherwise the new version of this hoax is almost identical to the one that we wrote about in March 2020, carrying the same fake news with the same fake “details” added.

Once again, the hoax deliberately, but untruthfully, claims legitimacy by insisting at the start that the City of London Police fraud team was the source of the information.

Even though the City Police have previously tweeted that they did not issue any such warning, the mere mention of officialdom in the first words of the text have given this hoax a long-running air of credibility that it does not deserve.

What to do?

  • Don’t spread discredited stories online via any messaging app or social network. Do your homework. There’s enough fake news around at the moment without adding to it.
  • Don’t be tricked by claims to authority. Anyone can write “the police announced this”, but that doesn’t tell you anything useful. In this hoax, what the police actually announced was that they didn’t announce it.
  • Don’t use the “better safe than sorry” excuse. Lots of people forward hoaxes with the best intentions, thinking that if it turns out to be true they will be glad they shared it, but if it turns out false, no harm will have been done . But you can’t make someone safer by “protecting” them from something that doesn’t exist or by giving them “advice” that offers a false sense of security.

Yes, you should pick proper passwords; yes, you should use 2FA, especially for email or banking logins; no, you should never use the same password twice; and no, you should never login on a sign-in page you reached via a link in an SMS or email.

But the real lesson here is that we all need to do our bit to stop fake news like this from getting traction it doesn’t deserve.

We owe it to our friends and family to stop them getting suckered into watching out for cybersecurity attacks that aren’t going to happen, thus saving them time to take action against attacks that are.

In this case, you need to spread the word to your family and friends NOT to spread the word to their family and friends!