Fraudsters are now using customers’ card details to set up Apple and Google Pay wallets.
Bank of Ireland is warning customers about a new wave of smishing attacks where there has been a 50% increase in the amount of fraudulent text messages in circulation.
The Bank has experienced a spike in ‘smishing’, where fraudsters send fake text messages appearing to be from delivery services including An Post or Government agencies including the HSE and Revenue.
“Text messages appearing to be from third parties like delivery companies or Government agencies should be treated with caution and verified accordingly”
Fraudsters are now using customers’ card details to set up Apple and Google Pay wallets.
Customers who click the links in the text messages are then directed to fake websites where they are asked for their card or online banking login details.
The fraudster uses these details to set up Apple/Google Pay on the customer’s card or to set up the customer’s online banking on a new device.
If the customer gives away the genuine One Time Passcode sent by Bank of Ireland to confirm the set-up, the fraudster can then access the customer’s account.
During the last month, the number of ‘smishing’ cases detected by Bank of Ireland’s Fraud Prevention team has increased by c. 50% since the introduction of this tactic.
“Fraudsters tend to use a range of tactics that have been the subject of regular warnings for some time,” said Edel McDermott, Head of Fraud, Bank of Ireland. “When a new variation on a familiar theme crops up, this is a cause for real concern, and we are warning customers to be extra vigilant.
“Text messages appearing to be from third parties like delivery companies or Government agencies should be treated with caution and verified accordingly.
“Following fraudulent links in these texts is leading to customers disclosing card details, and then having Apple or Google Pay set up on their card, generating a genuine One-Time Passcode from their bank. When this Passcode is then disclosed, this allows fraudsters full access to the customers’ account. Customers should never share this Passcode with anyone, even if they say they are from Bank of Ireland.”
How the current scam operates:
- Customer receives a fraudulent text purportedly “from” An Post or alternatively HSE or Revenue – for example: “Your parcel is ready for delivery. Please pay the outstanding charge on this link —-“ or “You’ve been a close contact of someone with Covid. Please follow the instructions here to order a test —–“
- The customer clicks the link, is brought to a fake website and gives some personal information and their credit / debit card number. The fraudster will then:
- Use the customer’s card details to set up Apple Pay or Google Pay. The customer then gets a genuine One-Time Passcode from Bank of Ireland to confirm Apple Pay or Google Pay set-up, but then gives away the code to the fraudster on the phishing website.
Or
- Based on the card number the customer has given, the fraudster directs the customer to a spoofed online banking login page. The customer gives their online banking login details and then gets a genuine One-Time Passcode to set up online banking on a new device. The customer gives that code away on the phishing website, which allows the fraudster to set up online banking and make payments from the customer’s account.
- Where customers have stopped part of the way through the scam process, they may then get a phone call claiming to be from Bank of Ireland in an attempt to get banking details and the One-Time Passcode. Those calls will often look like they’re coming from genuine Bank of Ireland numbers as the fraudster can spoof the number that appears in your display.
How to avoid falling victim to smishing attacks
Bank of Ireland’s advice to customers in response to the current activity:
- Do not click on links or respond to any SMS text messages which are designed to appear as if sent by the bank or other businesses and service providers.
- Remember that Bank of Ireland will never send you a text with a link to a website that asks you for your online banking login details or any One-Time Passcodes that we’ve sent to you.
- Do not share your One-Time Passcode to set up Apple/Google Pay on your card WITH ANYONE even if you the person advises they are from Bank of Ireland
- If you get a suspicious text, please email a screenshot of the text to 365Security@boi.com and then delete the text.
- If you think you may have given away any of your banking details, please call our 24/7 Freephone line 1800 946 764
Remember, Bank of Ireland will never:
- Send you a text or email with a link directly to the login page of our online banking channels to confirm banking details or ask you to update their banking details.
- Ask you to click a link in an email with an urgent warning about suspicious activity on your account.
- Ask you to transfer money out of your account to protect you from fraud.
- Ask you to tell us any ‘One-Time Password’ or code that you have received from us by text.
Where customers receive a text appearing to be from Bank of Ireland, the Check Your Text service (Security Zone – Bank of Ireland Group Website) is available and is outlined in the ‘Report Fraud’ section.
For more advice and information on fraud, visit www.boi.com/security or www.fraudsmart.ie