Beware Monzo phishing scams via SMS

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Beware Monzo phishing scams via SMS

Last night, I was lounging on the sofa…

PING!

An SMS text message arrived on my phone. It claimed to come from Monzo. I do have a bank account with Monzo, so that didn’t look suspicious. And the message was grouped with all the other text messages I receive from Monzo.

Monzo SMS messages

To avoid issues and remain verified with Monzo, please confirm your account at the link below. https://monzo-log-in.com/

Would you have trusted it?

I hope you wouldn’t. But I bet a lot of people would. Especially if – like me – you were a Monzo customer. And especially as it was presented alongside other messages from Monzo.

Thankfully I had my security spider senses turned up to 11, and so I knew better than to click on the link and enter my banking details.

But I did bravely go a little down the rabbit hole to show you what you would have seen if you had clicked…

First thing I saw is that the website the text message is linking you to, asks you for your email address. Monzo is very much a digital bank, which you only access via an app. As far as I know there is *no* website where you can login to your account.

Monzo phishing page

If you looked up this particular website’s WHOIS entry you would also notice that it was only registered yesterday. Hmm… that’s a bit suspicious isn’t it?

Of course I didn’t enter my real email address. Why would I want the scammers to know my email address? They already seem to know my mobile phone number. So I entered a random email address instead.

Sign up to our free newsletter.
Security news, advice, and tips.

And then I was presented with another screen, asking me to enter the PIN of my Monzo bank card. Ho ho ho, as if I was going to enter that.

Monzo phishing page

At this point I sent Monzo a tweet, telling them about the scam.

I also reported the URL to Google. In my experience if you do that Google can quite quickly protect billions of internet users, by displaying a warning dialog in their browser if they attempt to visit the same URL.

A quick trawl through Twitter uncovered that I wasn’t the only person to receive this particular phishing message, and there are plenty of other examples of Monzo banking customers receiving text messages asking them to visit other dodgy URLs that pretend to belong to Monzo.

Which leaves an obvious question. How did the scammers know to send me and other Monzo customers a text? I don’t receive SMS phishing texts pretending to be from companies with which I don’t bank. Is someone leaking the mobile phone numbers of banking customers, to help phishers make their scams look more realistic?


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

14 comments on “Beware Monzo phishing scams via SMS”

  1. Jon

    One possibility is a Ticketmaster style breach – if a threat actor is catching both PAN numbers and mobile numbers through a merchant’s checkout process, they can match the leading digits of the PAN to the issuing bank… Of course, it could be entirely coincidental!

    1. Karoli Evans · in reply to Jon

      Excellent Job Ghraham Cluley. I didn't trist just dleted as I have no account with Monzo

  2. Andy

    I have received similar messages attempting to capture my account details for Santander and NatWest (and I've never held accounts with either so easy to spot). Could just be sending out mass messages hoping that some are genuine customers of those banks

  3. Jeremy

    > As far as I know there is *no* website where you can login to your account.

    Small correction, there is a monzo website you can log on, https://web.monzo.com

  4. Monkey

    My wife got a Mozo phishing scam SMS too. She has never had anything to do with Monzo. I think it's just a scattergun phishing scam.

  5. Barry

    In the uk you can forward the text to 7726 (spam) it will then be investigating by the network provider, hopefully this will reduce the amount of texts

    1. M Freeman · in reply to Barry

      Thanks. For those wondering how the heck to do this on iPhone now they've hidden the function: Tap and hold the message; tap More on the pop-up menu; Tap Share (curved arrow); Tap + on right side of To field; enter 7726; tap Send. Credit to https://www.lifewire.com/forward-a-text-message-on-iphone-1999154

  6. john J

    I received 2 texts today supposedly from Monzo. I do not have an account with them asking to verify ??

  7. Carole Weaver

    Both my daughter ( who doesn’t have a Monzo acct) and I received a sms asking to verify some details. I have a Monzo account and have sent money to my daughter.

    Do I need to do anything? Is my account under threat?

    1. Alyssa · in reply to Carole Weaver

      Please don’t. I’ve came here to share. I was silly enough to think it was real. My entire bank account has been drained. Always ring or start a chat on the monzo app before clicking the link! Learn from my mistake

    2. Elle · in reply to Carole Weaver

      Never click or do anything if you receive unsolicited texts or mail. Do some checks even if you have had dealings with whoever the message is from.

  8. Fawcet

    Hi I had one today telling me my replacement card is ready😳 I don t have an account 🤨

  9. Elle

    Received a text from MonzoUK informing me that my email address “ is no longer confirmed” and asking me to click a link to continue using Monzo.
    I have never had anything to do with this lot nor do I intend to.
    Beware if you get a message like this and no NOT click the link.

  10. Andy

    I received a text saying a Monzo replacement card has been requested. Not having a Monzo account, I assumed it was a scam and later in the text it said "If you do not recognise this request foIIow: monzo-replacement-support.com". Seeing "follow" spelled "foIIow" (with capital "I"s rather than small "l"s) just confirmed that it was a scam, so I reported it to 7726 together with the mobile number that sent it. So, if +447367065275 appears as the sender, just forward the message to 7726.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.