Last night, I was lounging on the sofa…
An SMS text message arrived on my phone. It claimed to come from Monzo. I do have a bank account with Monzo, so that didn’t look suspicious. And the message was grouped with all the other text messages I receive from Monzo.
To avoid issues and remain verified with Monzo, please confirm your account at the link below. https://monzo-log-in.com/
Would you have trusted it?
I hope you wouldn’t. But I bet a lot of people would. Especially if – like me – you were a Monzo customer. And especially as it was presented alongside other messages from Monzo.
Thankfully I had my security spider senses turned up to 11, and so I knew better than to click on the link and enter my banking details.
But I did bravely go a little down the rabbit hole to show you what you would have seen if you had clicked…
First thing I saw is that the website the text message is linking you to, asks you for your email address. Monzo is very much a digital bank, which you only access via an app. As far as I know there is *no* website where you can login to your account.
If you looked up this particular website’s WHOIS entry you would also notice that it was only registered yesterday. Hmm… that’s a bit suspicious isn’t it?
Of course I didn’t enter my real email address. Why would I want the scammers to know my email address? They already seem to know my mobile phone number. So I entered a random email address instead.
And then I was presented with another screen, asking me to enter the PIN of my Monzo bank card. Ho ho ho, as if I was going to enter that.
At this point I sent Monzo a tweet, telling them about the scam.
— Graham Cluley (@gcluley) November 18, 2021
I also reported the URL to Google. In my experience if you do that Google can quite quickly protect billions of internet users, by displaying a warning dialog in their browser if they attempt to visit the same URL.
A quick trawl through Twitter uncovered that I wasn’t the only person to receive this particular phishing message, and there are plenty of other examples of Monzo banking customers receiving text messages asking them to visit other dodgy URLs that pretend to belong to Monzo.
Which leaves an obvious question. How did the scammers know to send me and other Monzo customers a text? I don’t receive SMS phishing texts pretending to be from companies with which I don’t bank. Is someone leaking the mobile phone numbers of banking customers, to help phishers make their scams look more realistic?