Graham Cluley
Computer security news, advice, and opinion
Beware Monzo phishing scams via SMS
Last night, I was lounging on the sofa…
PING!
An SMS text message arrived on my phone. It claimed to come from Monzo. I do have a bank account with Monzo, so that didn’t look suspicious. And the message was grouped with all the other text messages I receive from Monzo.

To avoid issues and remain verified with Monzo, please confirm your account at the link below. https://monzo-log-in.com/
Would you have trusted it?
I hope you wouldn’t. But I bet a lot of people would. Especially if – like me – you were a Monzo customer. And especially as it was presented alongside other messages from Monzo.
Thankfully I had my security spider senses turned up to 11, and so I knew better than to click on the link and enter my banking details.
But I did bravely go a little down the rabbit hole to show you what you would have seen if you had clicked…
First thing I saw is that the website the text message is linking you to, asks you for your email address. Monzo is very much a digital bank, which you only access via an app. As far as I know there is *no* website where you can login to your account.

If you looked up this particular website’s WHOIS entry you would also notice that it was only registered yesterday. Hmm… that’s a bit suspicious isn’t it?
Of course I didn’t enter my real email address. Why would I want the scammers to know my email address? They already seem to know my mobile phone number. So I entered a random email address instead.
And then I was presented with another screen, asking me to enter the PIN of my Monzo bank card. Ho ho ho, as if I was going to enter that.

At this point I sent Monzo a tweet, telling them about the scam.
Hey @monzo. Someone is trying to phish your customers… pic.twitter.com/Zz5CYnH41Q
— Graham Cluley (@gcluley) November 18, 2021
I also reported the URL to Google. In my experience if you do that Google can quite quickly protect billions of internet users, by displaying a warning dialog in their browser if they attempt to visit the same URL.
A quick trawl through Twitter uncovered that I wasn’t the only person to receive this particular phishing message, and there are plenty of other examples of Monzo banking customers receiving text messages asking them to visit other dodgy URLs that pretend to belong to Monzo.
Which leaves an obvious question. How did the scammers know to send me and other Monzo customers a text? I don’t receive SMS phishing texts pretending to be from companies with which I don’t bank. Is someone leaking the mobile phone numbers of banking customers, to help phishers make their scams look more realistic?
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.
Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.
One possibility is a Ticketmaster style breach – if a threat actor is catching both PAN numbers and mobile numbers through a merchant’s checkout process, they can match the leading digits of the PAN to the issuing bank… Of course, it could be entirely coincidental!
I have received similar messages attempting to capture my account details for Santander and NatWest (and I’ve never held accounts with either so easy to spot). Could just be sending out mass messages hoping that some are genuine customers of those banks
> As far as I know there is *no* website where you can login to your account.
Small correction, there is a monzo website you can log on, https://web.monzo.com
Your email address will not be published. Required fields are marked *








{{#message}}{{{message}}}{{/message}}{{^message}}Your submission failed. The server responded with {{status_text}} (code {{status_code}}). Please contact the developer of this form processor to improve this message. Learn more{{/message}}
{{#message}}{{{message}}}{{/message}}{{^message}}It appears your submission was successful. Even though the server responded OK, it is possible the submission was not processed. Please contact the developer of this form processor to improve this message. Learn more{{/message}}
Submitting…
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Winner: Best Security Podcast 2018, 2019
Nov 18 2021
Booking.com got hacked five years ago, and didn’t tell its customers… but now we know who might have been behind it. Bossware rears its ugly head again in the workplace, spying on employees. And did you receive a warning email from the FBI?
Special guest: Brian Klaas.

Subscribe:
Apple Podcasts | Google Podcasts | Spotify | RSS

Support the podcast:
Patreon
Hire Graham Cluley to be a keynote speaker at your event or webinar
        
Send a tip or story idea | Hire Graham Cluley to speak at your event | Sponsorship | Contact | About
Complaints/Corrections | Privacy | Terms & Conditions
Copyright © 2001-2021 Cluley Associates Limited. All Rights Reserved.

source