Cyber criminals have launched a new online scam designed to trick Marks and Spencer (M&S) customers into handing over confidential data by by impersonating the retailer’s CEO Steve Rowe.
The fraudulent adverts, uncovered by the Parliament Street think tank’s cyber research team, have been launched via social networking site Facebook from an unverified page entitled “Marks and Spencer Store.”
Users have been bombarded with adverts showing a man holding M&S branded bags, who is not Steve Rowe, accompanied with the message, “Hello everyone, my name is Steve Rowe and I am the CEO of Marks and Spencer! I’ve an announcement to make – To celebrate our 135th Anniversary, We are giving EVERYONE who shares & then comments by 11.59pm tonight one of these mystery bags containing a £35 M&S voucher plus goodies! Make sure you enter here [URL].”
The fake URL takes users to an M&S branded portal where users are asked for their name, address, mobile phone number, and bank details including SORT code and account number in order to ‘enter’ the prize draw.
So far around 150 members of the public have been identified and reported the scam, which has been flagged to consumer groups and raised as an issue on social media.
In a statement via social media, Marks and Spencer said:
“We have been made aware of this and it isn’t genuine, our colleagues are investigating further.”
Cyber security expert Andy Heather, VP, Centrify said:
“With more people than ever committed to online retail shopping due to Covid-19, it’s likely that we’ll see a surge of ‘exclusive’ or ‘one time only’ deals pop up on social media, via email, and through SMS messages, over the course of the next few months up until Christmas. Unfortunately, many of these sales and deals, much like this M&S one, will be a scam, designed to steal confidential data, such as payment details or log-in credentials.
“If you, or anyone you know, feel they may have already fallen victim to a scam of this nature, it’s essential that you take proactive measures to stop these scammers in their tracks. This requires you to report the scam to the impersonated brand, freeze banks accounts and change log-in details – it’s very common for attackers to hold on to stolen log-in credentials for months after an attack, waiting for a victim to drop their guard before re-breaking in to other accounts which are protected by the same password.”
Tim Sadler, CEO, Tessian said:
“Phishing scams don’t just reside in your inbox; hackers are increasingly using social media as another hunting ground for their victims. Using the lure of a prize giveaway, cybercriminals are hoping that people will click the URL link to ‘enter’ the competition. Those that do click are led to a malicious website that prompts them to enter valuable personal information and credit card details.
“As we head into the busy shopping season, we can only expect to see more of these types of ‘sale’ scams emerge online. Treat these posts just like you would any phishing email; ask yourself if this deal seems legitimate and verify the identity of the person requesting you to take an action, before clicking on any links. In this case, the scammers have used a picture of someone that isn’t even the CEO! And if you’re still unsure, visit the retailer’s website and official social media channels to cross-check that the deal has been mentioned elsewhere.”
Read the latest edition of PCR’s monthly magazine below: