Last week we wrote about a WhatsApp hoax that was spreading widely, warning people to look out for a cybersecurity catastrophe that simply wasn’t going to happen.
That was known as the Martinelli/Dance of the Pope hoax, and it claimed that two dangerous videos are about to come out that will hack or wipe out your phone so it can’t be fixed.
This week, there’s another WhatsApp hoax that suddenly started spreading, apparently forwarded in good faith by lots of worried users:
Straight from the City of London Police fraud team – Extremely sophisticated scam going about this morning. Definitely Danske bank customers but possibly all banks. You get a message saying a payment hasn’t been taken eg O2,Vodafone or EE [UK mobile providers] and to click here. As soon as you touch it the money is gone. They already have all your details and it’s the most advance scam the bank has ever seen. Pass this on to everyone. Please. This is from work this morning – they are being inundated with calls – thousands flying out of peoples accounts! Spread the word!
Before we look at the plausibility of this – spoiler alert: it’s somewhere between implausible and impossible, and it didn’t happen – let’s check the very first claim in the message.
Hoaxes of this sort often include what we call “claims to authority” – Martinelli/Dance of the Pope claimed that its story had been announced on BBC Radio, for example – that are there to add a veneer of credibility.
But here’s what the City of London Police tweeted a few hours ago:
🚨 Smishing scam alert! 🚨
Please be aware of false message currently being circulated https://t.co/Hf832Sxm60
— City of London Police | #StayHomeSaveLives (@CityPolice) March 30, 2020
Please be aware of false message currently being circulated
The City of London Police in turn link you to UK National Fraud and Cyber Crime Reporting Centre’s ActionFraud website, where you will see that the “City of London Police hasn’t issued any alerts about fake messages from Danske Bank.”
So, please don’t spread this hoax – you’re just creating fear and uncertainty among any of your friends and family who might have received a text message recently.
Could it happen?
The brazenly bogus start to the text in this hoax – an outright lie about a law enforcement team – suggests that it didn’t evolve from scraps of fact but was put together deliberately, though it’s anyone’s guess why.
As for the rest of the message, there’s a tiny ring of truth throughout, but so-called “unpaid mobile bill” text message scams don’t work quite as directly as the hoax claims.
Typically, the link in the SMS takes you to a website where a fake login page appears and that’s where the password stealing happens.
Indeed, we wrote about a very similar scam, albeit in a slightly different guise, late last week, where crooks texted you a “failed home delivery” message where you allegedly needed to pay in a $3 shortfall before the delivery could be completed.
Mobile phone billing scams use a different pretext but typically follow a similar sequence.
A URL (web link) in the SMS takes you to your browser; your browser expands on the details of the scam and gives you a “payment” link; and that link in turn takes you to a page that is designed to resemble a typical credit card payment portal.
All the data you put into the bogus payment form goes not to your bank but directly to the crooks, and that’s how they attack your credit card later on – or sell the data on so someone else can do so.
Browser exploits
In theory, a booby-trapped web page that was rigged up to crash your browser might be able to launch malware on your phone without warning and without asking for permission, even if all you did was tap on the link in the SMS to take you there.
But that sort of attack is very rare these days, and almost certainly wouldn’t lead to the crooks getting hold of your banking password immediately and instantly withdrawing money.
If nothing else, the crooks would still have to persuade you to type in your banking password or card number while their malware was running, just as they would do via a fake website, so the attack wouldn’t happen “as soon as you touch[ed]” the link in the text message.
The big giveaway, however, is the part about how “this is from work this morning”.
How likely is that, in the middle of coronavirus lockdown?
What to do?
- Don’t spread discredited stories online via any messaging app or social network. Do your homework. There’s enough fake news at the moment without adding to it.
- Don’t be tricked by claims to authority. Anyone can write “the police announced this”, but that doesn’t tell you anything. In this case, what came from the police was an announcement that it was false.
- Don’t use the “better safe than sorry” excuse. Lots of people forward hoaxes with the best intentions, but you can’t make someone safer by “protecting” them from something that doesn’t exist. All you are doing is wasting everyone’s time.
Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.