06.06.2023 - An interesting combination of a phishing text message and subsequent voice phishing was reported to the NCSC last week. After entering his credit card details on a website opened via a phishing text message, effective security measures enabled the victim to stop his payment to the phishers. When the phishers noticed this, they called the victim and offered telephone support.
The reported smishing attempt began in the typical manner with a text message supposedly from Netflix. It contained a link and stated that the last payment had been rejected and that the account needed to be reactivated via a link.
The victim subsequently clicked on the link, which took him to a fake form page asking for various details. In addition to the email address, name, telephone number and Netflix password, the victim also provided his credit card number, expiry date and three-digit CVV code.
The fraudsters then initiated a payment using the data entered by the victim. Fortunately, in this case, 3D Secure was activated as an additional security layer for the credit card and the fraudulent payment needed to be confirmed by the victim. It was at this point that the fraud was detected and the payment was not authorised. Up to then, the approach was that of a typical phishing attempt and the security measures were effective.
The attackers persisted – smishing gave way to vishing
Naturally, the attackers discovered that the payment had been blocked. In order to get hold of the money after all, they called the victim shortly afterwards using a Swiss mobile phone number and posed as a Netflix employee. During the conversation, the attacker promised to help unblock the supposedly blocked account and to make the credit card payment together with the victim. As the victim had noticed the attempted fraud, he turned down this help. The caller then insisted one last time that the victim should take some time to think about it. The victim then ended the phone call.
The NCSC is currently receiving frequent reports of attempted voice phishing (vishing). The callers pose as employees of credit card institutions and banks. They claim that they want to clarify an incorrect booking or that e-banking is being updated. Internet telephony is usually used for such calls and the numbers are spoofed or concealed.
Recommendations:
- Be careful if you receive text messages or phone calls asking you to click on links or disclose information, even if the number displayed is apparently known.
- If you have any doubts, end the communication and contact the company using the usual channels.
- Never divulge personal data such as passwords or credit card details on a website that you accessed by clicking on a link in an email or text message.
- Install two-factor authentication whenever possible. This offers an additional layer of protection to prevent your account from being hacked.
- No bank or credit card company will ever ask you via email or on the phone to change your password or verify your credit card details.
- As soon as you realise that you have entered your password on a phishing site, change this password for all services where you use it.
- If you provided credit card details, contact your credit card company immediately to have the card blocked.
- In the case of an email password, you should also reset all passwords for web service providers that are linked to this account.
Current statistics
Last week's reports by category:
Last modification 06.06.2023
