New phishing campaign targets Monzo online-banking customers
Users of Monzo, one of the UK’s most popular digital-only banking platforms, are being targeted by phishing messages supported by a growing network of malicious websites.
Monzo is a 100% online banking platform with over four million customers and among the first to challenge the traditional financial managing system.
The mobile-only platform offers a feature-rich app, debit Mastercards, and a comprehensive yet not completely flawless fraud-detection system.
According to a report by security researcher William Thomas, there’s an ongoing phishing campaign targeting users of Monzo and attempting to steal their accounts.
The banking platform also posted on Twitter to warn its customers about the signs of fraud and what not to do when receiving a message that appears suspicious.
In a new report, Thomas explains that the phishing process begins with the arrival of an SMS text showing Monzo as the sender’s name, asking the recipient to tap the provided link to reactivate their session or verify their account.
The users are taken to a phishing site that displays a fake email login form and then requests information about their Monzo account, including full name, phone number, and the Monzo PIN.
If these details are provided, the threat actors now have everything needed to begin taking over victims’ Monzo accounts.
When installing the Monzo app on a new device, like the threat actor’s smartphone, the service sends a device verification link for the first login to the user’s email address. As the threat actors now have access to victims’ email accounts, they can click on this “golden link” and verify their device, giving full access to the Monzo account.
The severity of gaining access to this link is illustrated in the emails sent by Monzo, who warn that the link should never be shared with other people. If the email account is protected by 2FA, Thomas believes the adversaries can likely overcome it with additional social engineering steps or by employing OTP stealing bots.
When Monzo wants to inform users about anything, it uses built-in app notifications or the account portal on the official website.
With thanks to the Cyber Defence Alliance and BleepingComputer. The full story is here: https://www.bleepingcomputer.com/news/security/new-phishing-campaign-targets-monzo-online-banking-customers/
Help keep your users safe from these phishing scams with Security Awareness Training.
Request A Demo: Security Awareness Training
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn’t a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4’s security awareness training and simulated phishing platform and see how easy it can be!
PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/one-on-one-demo-partners?partnerid=001a000001lWEoJAAW