Beware Monzo phishing scams via SMS

Beware Monzo phishing scams via SMS

Beware Monzo phishing scams via SMS

Last night, I was lounging on the sofa…

PING!

An SMS text message arrived on my phone. It claimed to come from Monzo. I do have a bank account with Monzo, so that didn’t look suspicious. And the message was grouped with all the other text messages I receive from Monzo.

Monzo SMS messages

To avoid issues and remain verified with Monzo, please confirm your account at the link below. https://monzo-log-in.com/

Would you have trusted it?

I hope you wouldn’t. But I bet a lot of people would. Especially if – like me – you were a Monzo customer. And especially as it was presented alongside other messages from Monzo.

Thankfully I had my security spider senses turned up to 11, and so I knew better than to click on the link and enter my banking details.

But I did bravely go a little down the rabbit hole to show you what you would have seen if you had clicked…

First thing I saw is that the website the text message is linking you to, asks you for your email address. Monzo is very much a digital bank, which you only access via an app. As far as I know there is *no* website where you can login to your account.

Monzo phishing page

If you looked up this particular website’s WHOIS entry you would also notice that it was only registered yesterday. Hmm… that’s a bit suspicious isn’t it?

Of course I didn’t enter my real email address. Why would I want the scammers to know my email address? They already seem to know my mobile phone number. So I entered a random email address instead.

EmailSign up to our newsletter
Security news, advice, and tips.

And then I was presented with another screen, asking me to enter the PIN of my Monzo bank card. Ho ho ho, as if I was going to enter that.

Monzo phishing page

At this point I sent Monzo a tweet, telling them about the scam.

I also reported the URL to Google. In my experience if you do that Google can quite quickly protect billions of internet users, by displaying a warning dialog in their browser if they attempt to visit the same URL.

A quick trawl through Twitter uncovered that I wasn’t the only person to receive this particular phishing message, and there are plenty of other examples of Monzo banking customers receiving text messages asking them to visit other dodgy URLs that pretend to belong to Monzo.

Which leaves an obvious question. How did the scammers know to send me and other Monzo customers a text? I don’t receive SMS phishing texts pretending to be from companies with which I don’t bank. Is someone leaking the mobile phone numbers of banking customers, to help phishers make their scams look more realistic?

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.

Follow him on Twitter at @gcluley, or drop him an email.

Leave a Reply

Your email address will not be published. Required fields are marked *