Fraudulent text messages purporting to be from An Post, the HSE and Revenue are being used as bait in a “new wave” of text message scams.
Bank of Ireland is warning customers of the messages in circulation as it reports a surge in “smishing” fraud cases, where fraudsters send these messages with the aim of obtaining customers’ card details to set up Apple or Google Pay.
During the last month, the bank’s fraud prevention team has detected a 50 per cent increase in the number of these cases.
The scam sees customers receive a text purportedly from delivery services including An Post, or government agencies including the HSE and Revenue, such as: “Your parcel is ready for delivery. Please pay the outstanding charge on this link ----" or “You’ve been a close contact of someone with Covid. Please follow the instructions here to order a test -----".
Customers who click on the links in the text messages are then directed to fake websites, where they are asked for their card or online banking login details.
The fraudster uses these details to set up Apple or Google Pay on the customer’s card or to set up the customer’s online banking on a new device. If the customer gives away the genuine one-time passcode sent by Bank of Ireland to confirm the set-up, the fraudster can then access the customer’s account.
Phone calls
Where customers stop part of the way through the scam process, they may then get a phone call claiming to be from Bank of Ireland in an attempt to get banking details and the one-time passcode.
These calls will often appear to be coming from genuine Bank of Ireland numbers, as the fraudster can spoof the number that appears in the display.
Head of fraud at Bank of Ireland, Edel McDermott, said this “new variation on a familiar theme” of scam messages is a “cause for real concern”.
“We are warning customers to be extra vigilant,” she said.
“Text messages appearing to be from third parties like delivery companies or government agencies should be treated with caution and verified accordingly.
“Following fraudulent links in these texts is leading to customers disclosing card details, and then having Apple or Google Pay set up on their card, generating a genuine one-time passcode from their bank.
“When this passcode is then disclosed, this allows fraudsters full access to the customers’ account. Customers should never share this passcode with anyone, even if they say they are from Bank of Ireland.”
Advice
Bank of Ireland has advised customers it will never send a text or email with a link directly to the login page of its online banking channels to confirm banking details or ask a customer to update their banking details.
It will also never ask a customer to click a link in an email with an urgent warning about suspicious activity on their account, ask a customer to transfer money out of their account to protect from fraud, or ask a customer to disclose their one-time password or code received by text.
The bank has issued the following advice to customers to avoid falling victim to scam texts:
- Do not click on links or respond to any SMS text messages which are designed to appear as if sent by the bank or other businesses and service providers.
- Remember that Bank of Ireland will never send you a text with a link to a website that asks you for your online banking login details or any one-time passcodes it has sent to you.
- Do not share your one-time passcode to set up Apple/Google Pay on your card with anyone, even if the person advises that they are from Bank of Ireland.
- If you get a suspicious text, please email a screenshot of the text to 365Security@boi.com and then delete the text.
- If you think you may have given away any of your banking details, call Bank of Ireland's 24/7 freephone line 1800 946 764.
- Where customers receive a text appearing to be from Bank of Ireland, the Check Your Text service is available and is outlined in the ‘Report Fraud’ section.