A new phishing email bearing the subject ‘Tesco Bank Changes to Interest rate’ is currently targeting Tesco Bank’s customers. The email tells its recipients that they can have a look at the most recent interest-rates and modifications from the Bank by simply opening an attachment, reported hoax-slayer.com. I picked up on the post on SPAMFilter.
But, the email has no link with Tesco Bank, based in UK. It’s a phishing email campaign orchestrated to embezzle users’ login credentials.
The attached file within the fake email if opened loads a fake webpage on the user’s default browser. It comprises the logo of Tesco Bank. It also recommends the user to click on a login link so as to view his net-banking services and the latest changes made to their account.
The link directs the user to a hoax website that very closely emulates the real website of Tesco website. Landing on the bogus website, instructs the user to give his username, password and security number.
Identical to Tesco’s actual login process, the fake webpage asserts that the user has been texted an access code on his registered mobile number. But, as the scammers are clueless of the user’s mobile number no text arrives.
Consequently, out of mere curiosity the user may end up clicking ‘Didn’t get our text message’. Clicking on this link leads to the opening of another phony Tesco webpage that instructs the user to give their personal as well as financial details along with their security Q&A.
Subsequently, the user automatically gets redirected to the actual Tesco website.
In the meantime, fraudsters can gather all the submitted details by the user and equipped with it can easily hijack their bank account or embezzle their identity.
Cybercriminals frequently target banking customers with the help of phishing emails, fake texts messages and fake voice calls pretending to be from their banks. While online scamming is becoming increasingly advanced a large number of users still fall prey to these rudimentary ways of conning innocent people, hence, users need to be cautious of them, security experts comment.
Now imagine the same email being read on a mobile device. Most people read email first on mobile devices. While you have some protection from malicious links from mainstream desktop browsers, no protection is offered by mobile browsers.
Now consider the millions of browser-like apps that have the ability to open web links inside the app. It’s easier to target end-users who automatically trust content inside legitimate apps and the WebView inside the app probably won’t display the URL, making it even more difficult to check the validity of a link and easier for attackers to spoof websites.
If you found this post interesting, you might want to read other posts I’ve written about the security vulnerabilities of apps with a WebView. Click here to read more.
You can read the article on SPAMFilter here.