Last night, I was lounging on the sofa…
An SMS text message arrived on my phone. It claimed to come from Monzo. I do have a bank account with Monzo, so that didn’t look suspicious. And the message was grouped with all the other text messages I receive from Monzo.
To avoid issues and remain verified with Monzo, please confirm your account at the link below. https://monzo-log-in.com/
Would you have trusted it?
I hope you wouldn’t. But I bet a lot of people would. Especially if – like me – you were a Monzo customer. And especially as it was presented alongside other messages from Monzo.
Thankfully I had my security spider senses turned up to 11, and so I knew better than to click on the link and enter my banking details.
But I did bravely go a little down the rabbit hole to show you what you would have seen if you had clicked…
First thing I saw is that the website the text message is linking you to, asks you for your email address. Monzo is very much a digital bank, which you only access via an app. As far as I know there is *no* website where you can login to your account.
If you looked up this particular website’s WHOIS entry you would also notice that it was only registered yesterday. Hmm… that’s a bit suspicious isn’t it?
Of course I didn’t enter my real email address. Why would I want the scammers to know my email address? They already seem to know my mobile phone number. So I entered a random email address instead.
And then I was presented with another screen, asking me to enter the PIN of my Monzo bank card. Ho ho ho, as if I was going to enter that.
At this point I sent Monzo a tweet, telling them about the scam.
Hey @monzo. Someone is trying to phish your customers… pic.twitter.com/Zz5CYnH41Q
— Graham Cluley (@gcluley) November 18, 2021
I also reported the URL to Google. In my experience if you do that Google can quite quickly protect billions of internet users, by displaying a warning dialog in their browser if they attempt to visit the same URL.
A quick trawl through Twitter uncovered that I wasn’t the only person to receive this particular phishing message, and there are plenty of other examples of Monzo banking customers receiving text messages asking them to visit other dodgy URLs that pretend to belong to Monzo.
Which leaves an obvious question. How did the scammers know to send me and other Monzo customers a text? I don’t receive SMS phishing texts pretending to be from companies with which I don’t bank. Is someone leaking the mobile phone numbers of banking customers, to help phishers make their scams look more realistic?
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
14 comments on “Beware Monzo phishing scams via SMS”
One possibility is a Ticketmaster style breach – if a threat actor is catching both PAN numbers and mobile numbers through a merchant’s checkout process, they can match the leading digits of the PAN to the issuing bank… Of course, it could be entirely coincidental!
Excellent Job Ghraham Cluley. I didn't trist just dleted as I have no account with Monzo
I have received similar messages attempting to capture my account details for Santander and NatWest (and I've never held accounts with either so easy to spot). Could just be sending out mass messages hoping that some are genuine customers of those banks
> As far as I know there is *no* website where you can login to your account.
Small correction, there is a monzo website you can log on, https://web.monzo.com
My wife got a Mozo phishing scam SMS too. She has never had anything to do with Monzo. I think it's just a scattergun phishing scam.
In the uk you can forward the text to 7726 (spam) it will then be investigating by the network provider, hopefully this will reduce the amount of texts
Thanks. For those wondering how the heck to do this on iPhone now they've hidden the function: Tap and hold the message; tap More on the pop-up menu; Tap Share (curved arrow); Tap + on right side of To field; enter 7726; tap Send. Credit to https://www.lifewire.com/forward-a-text-message-on-iphone-1999154
I received 2 texts today supposedly from Monzo. I do not have an account with them asking to verify ??
Both my daughter ( who doesn’t have a Monzo acct) and I received a sms asking to verify some details. I have a Monzo account and have sent money to my daughter.
Do I need to do anything? Is my account under threat?
Please don’t. I’ve came here to share. I was silly enough to think it was real. My entire bank account has been drained. Always ring or start a chat on the monzo app before clicking the link! Learn from my mistake
Never click or do anything if you receive unsolicited texts or mail. Do some checks even if you have had dealings with whoever the message is from.
Hi I had one today telling me my replacement card is ready😳 I don t have an account 🤨
Received a text from MonzoUK informing me that my email address “ is no longer confirmed” and asking me to click a link to continue using Monzo.
I have never had anything to do with this lot nor do I intend to.
Beware if you get a message like this and no NOT click the link.
I received a text saying a Monzo replacement card has been requested. Not having a Monzo account, I assumed it was a scam and later in the text it said "If you do not recognise this request foIIow: monzo-replacement-support.com". Seeing "follow" spelled "foIIow" (with capital "I"s rather than small "l"s) just confirmed that it was a scam, so I reported it to 7726 together with the mobile number that sent it. So, if +447367065275 appears as the sender, just forward the message to 7726.