A couple from Frome in Somerset, UK, lost their savings after being targeted by the Royal Mail text “smishing” scam followed by a “call from your bank” targeted phishing scam.
Here’s how the scam worked and how you can avoid it.
Tom and Freyja Cuff were first targeted by scammers after receiving a text message claiming to come from the Royal Mail about a pending delivery that needed a small £2.50 fee to be paid before it could be delivered.
This is a very popular scam that we’ve discussed before and these scam text messages are sent out to thousands of recipients with the scammers hoping that at least some people bite and click the link to make the payment.
Of course there is no pending delivery from Royal Mail, and the link Mrs. Cuff clicked led to a spoof website pretending to be the genuine Royal Mail website. The objective of this website is to lure the victim into entering personal and financial information into it. This can include name, address and debit or credit card information.
Once that information is entered, it is sent to the crooks, while the victim believes it has gone to the Royal Mail. Now the crooks have enough information to make payments using the victim’s bank account.
Sponsored Content. Continued below...
You could ask why is there a reason for a step two given the cyber-crooks now have enough information to withdraw money from the victim’s bank account. There are two reasons.
Firstly, the crooks don’t know how much money is in the account and how much they can potentially steal. And secondly the crooks will know that continued purchases from the bank account will likely soon be closed off either because the victim notices the activity or the bank’s automated security systems will notice.
As such, the second stage of the scam begins after the crooks make a handful of smaller purchases from the victim’s bank account. The criminals contact the victim (no doubt using the phone number their spoof website asked for during step one) pretending to be from the victim’s bank claiming fraudulant activity has occurred.
This step of the scam can be particularly convincing because the crooks are now armed with plenty of personal information about their victim thanks to the information gleaned during the first step of the scam. The crooks claim to be from the victim’s bank, and claim the victim’s bank account has been compromised. They urge the victim to transfer their money to a “safe” bank account to ensure it remains intact.
As our regular readers will no doubt have determined, this is the crux of the scam. Any money transferred to the “safe” bank account is stolen because the safe account is really the scammer’s bank account. And now the crooks have all the victim’s money in their account, and neither the victim nor bank stopped the transaction because it was the victims themselves that executed it.
Sponsored Content. Continued below...
This is essentially a double-phishing scam. First the scammers pretended to be from Royal Mail to trick the victim into handing over sensitive information (a smishing attack, since it was orchestrated over SMS) and secondly a targeted phishing scam over the phone (targeted because the crooks had plenty of personal information about the victim.)
You can read more about the scam that targeted Tom and Freyja Cuff as they spoke to the BBC here.