Monzo bank customers targeted in new phishing campaign
The fraud collects a victim's email address, password and Monzo PIN - everything they need to compromise an account
UK customers of all-digital bank Monzo are being targeted with an SMS-based phishing campaign, aiming to steal sensitive information from their accounts.
Launched in 2015, Monzo is a popular digital-only bank in the UK with more than 4 million customers. It offers a full online banking service through an app. Without physical branches, Monzo uses a comprehensive system of ID verification and other security checks to detect fraudulent activities.
One of the most important aspects of creating a Monzo account is verifying a customer's device, normally done through a 'golden link' sent to the user's email address.
"This is what the phishing threat actors are after," says cyber security researcher William Thomas, who first uncovered the ongoing phishing campaign.
Thomas explained on his blog that the fraud begins with an SMS text message appearing to have come from Monzo. It asks the receiver to click the provided link to either confirm their account or reactivate their login.
The link takes the user to a phishing site that shows a fake login form, asking the user to enter their email details. The website then redirects them to a page that appears as one belonging to their email provider, like Gmail, prompting them to log in for security reasons.
After collecting both their email address and password, the website asks for additional information such as the victim's name, Monzo PIN and contact number.
With those details, the fraudsters have everything they need to take over a Monzo account.
If the email account is protected by 2FA, Thomas says the threat actors may try to circumvent it with additional social engineering steps or by employing OTP stealing bots.
Monzo confirmed the existence of the latest phishing scam through a Twitter post.
'We'd never send you a link to verify your account via text, or ask you to log in to a website to confirm any account details,' it said.
The company advised that instead of tapping links in text messages, users should check their banking app first, and that all notifications should be visible on their mobile app.
'Social engineering is when a criminal tricks you into trusting them. They'll start by doing some research about you online, and then they'll use what they find out to pretend to be someone else,' Monzo warns on its website.
'When you get an email that claims to be from Monzo, check the email address of the sender. The words after '@' should be '@monzoemail.com', '@monzomail.com' or '@monzo.com'.'
'If you don't see any of these, the email isn't from Monzo and you shouldn't click any links in the email.'
Phishing campaigns, which are relatively easy to set up and deploy, have become an increasingly popular tactic among hackers in recent years. Phishing emails usually impersonate a famous brand or company, with the hackers attempting to trick the unsuspecting victims into disclosing important details like bank account numbers.
In December, a study by Phished.io, a provider of cybersecurity training software, indicated that more than a fifth of employees will fall for a phishing message, taking further action such as clicking on a link.
The study, which involved sending 100 million simulated phishing attempts to people worldwide, found that people are still disturbingly likely to fall for phishing messages, particularly if those messages are short, contain a request for help and if the sender appears to be someone known to the recipient.