Bank of Ireland is alerting its customers to a new wave of smishing scams in circulation that see fraudsters using customers’ card details to set up Apple and Google Pay systems.
Fake text messages are reportedly being sent to people that appear to be from services including An Post, the HSE and Revenue.
Customers who click the links in the text messages are then directed to fake websites where they are asked for their card details or their online banking login.
The fraudster uses these details to set up Apple/Google Pay on the customer’s card or to set up the customer’s online banking on a new device.
If the customer gives away the genuine one-time Passcode sent by the Bank of Ireland to confirm the set-up, the fraudster can then access the customer’s account.
During the last month, the number of ‘smishing’ cases detected by Bank of Ireland’s Fraud Prevention team has jumped by around 50% since the introduction of this tactic.
Officials have outlined exactly how the current scam operates:
- Customer receives a fraudulent text purportedly “from” An Post or alternatively HSE or Revenue – for example: “Your parcel is ready for delivery. Please pay the outstanding charge on this link ----" or “You’ve been a close contact of someone with Covid. Please follow the instructions here to order a test -----"
- The customer clicks the link, is brought to a fake website, and gives some personal information and their credit/debit card number.
- The fraudster will then: Use the customer’s card details to set up Apple Pay or Google Pay. The customer then gets a genuine One-Time Passcode from Bank of Ireland to confirm Apple Pay or Google Pay set-up, but then gives away the code to the fraudster on the phishing website, or
- based on the card number the customer has given, the fraudster directs the customer to a spoofed online banking login page.
- The customer gives their online banking login details and then gets a genuine One-Time Passcode to set up online banking on a new device.
- The customer gives that code away on the phishing website, which allows the fraudster to set up online banking and make payments from the customer’s account.
If a customer has stopped part of the way through the scam process, they may then get a phone call claiming to be from Bank of Ireland in an attempt to get banking details and the one-time passcode.
Those calls will often look like they’re coming from genuine Bank of Ireland numbers as the fraudster can spoof the number that appears in your display.
Speaking about this latest scam, Edel McDermott, Head of Fraud, Bank of Ireland said: “Fraudsters tend to use a range of tactics that have been the subject of regular warnings for some time. When a new variation on a familiar theme crops up, this is a cause for real concern, and we are warning customers to be extra vigilant.
“Text messages appearing to be from third parties like delivery companies or Government agencies should be treated with caution and verified accordingly.
“Following fraudulent links in these texts is leading to customers disclosing card details, and then having Apple or Google Pay set up on their card, generating a genuine One-Time Passcode from their bank. When this Passcode is then disclosed, this allows fraudsters full access to the customers’ accounts.
"Customers should never share this Passcode with anyone, even if they say they are from Bank of Ireland.”
Bank of Ireland’s reminds its customers:
- Do not click on links or respond to any SMS text messages which are designed to appear as if sent by the bank or other businesses and service providers.
- Remember that Bank of Ireland will never send you a text with a link to a website that asks you for your online banking login details or any One-Time Passcodes that we’ve sent to you.
- Do not share your One-Time Passcode to set up Apple/Google Pay on your card WITH ANYONE even if you the person advises they are from Bank of Ireland
- If you get a suspicious text, please email a screenshot of the text to 365Security@boi.com and then delete the text.
- If you think you may have given away any of your banking details, please call our 24/7 Freephone line 1800 946 764 immediately.
Finally, Bank of Ireland will never:
- Send you a text or email with a link directly to the login page of our online banking channels to confirm banking details or ask you to update their banking details.
- Ask you to click a link in an email with an urgent warning about suspicious activity on your account.
- Ask you to transfer money out of your account to protect you from fraud.
- Ask you to tell us any ‘One-Time Password’ or code that you have received from us by text.
READ MORE:
Met Eireann's serious warning as record temperatures set to shock Ireland this weekend
Mr Flashy a no-show in court due to 'genuine fears' for safety
Vogue Williams looks set to stay in the UK as she enrols Theodore into school there
Former Love Island star Yewande Biala says time on the show was the 'best decision' of her life
Get breaking news to your inbox by signing up to our newsletter .