New Phishing Campaign Angles for Monzo Banking Customers



Phishing Campaign Angles Banking CustomersA phishing campaign is targeting users of the UK-based digital banking company Monzo, BleepingComputer reports. Security researcher William Thomas came across an SMS phishing (smishing) campaign that’s sending text messages that purport to come from Monzo.

“The users are taken to a phishing site that displays a fake email login form and then requests information about their Monzo account, including full name, phone number, and the Monzo PIN,” BleepingComputer says. “If these details are provided, the threat actors now have everything needed to begin taking over victims' Monzo accounts. When installing the Monzo app on a new device, like the threat actor's smartphone, the service sends a device verification link for the first login to the user's email address. As the threat actors now have access to victims' email accounts, they can click on this ‘golden link’ and verify their device, giving full access to the Monzo account. The severity of gaining access to this link is illustrated in the emails sent by Monzo, who warn that the link should never be shared with other people.”

Thomas wrote in a blog post that the attackers can then attempt to bypass users’ multifactor authentication to gain access to their accounts.

“These details are enough to compromise a user's email account and Monzo account,” Thomas wrote. “Additional social engineering steps might be involved, but there are many one-time passcode (OTP) stealing bots and other guides on how to trick victims into giving up access to the attacker.”

BleepingComputer explains that Monzo has a process for contacting users that users should be aware of.

“When Monzo wants to inform users about anything, it uses built-in app notifications or the account portal on the official website,” BleepingComputer says. “Monzo doesn't use SMS to send notifications, and the platform would never urge users to follow any links from outside the app. If you've tapped on these links and provided any login details to the actors, reset your account passwords immediately and activate MFA on both your email and Monzo accounts.”

Multi-factor authentication is an important layer of defense, but users should know that it’s not foolproof. New-school security awareness training can enable your employees to recognize social engineering attacks.

BleepingComputer has the story.


Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/phishing-security-test-offer

Topics: Phishing



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews