Overview of selected scams - July 2024





We present the report on identified threats and the methods of operation by criminals for the month of July 2024. This document highlights selected risks to customers of Polish banks. We encourage you to review the material.

The document does not cover threats that have been known for many months and were described in an earlier report, such as the "classicscam", fake Facebook login panels, fake shops and other. It is essential to remember, however, that these scenarios are still being used by criminals, and we must continually work against them.

 

FALSE INVESTMENTS SCHEMESS

A well-known but still very popular fraud scenario is fake investments. This scam involves cybercriminals impersonating famous people or institutions to entice potential victims to invest money with promises of high returns, only to cause significant financial losses.


In July 2024, we also detected fraudulent investment ads being distributed through the TikTok platform (Fig. 1).

Figure 1 Fake invest ads distributed on the TikTok platform

 

After clicking on the ad, the victim is directed to a form where they fill out their contact information (Fig. 2). In the next step, the criminals call the victim by phone.

 

 

 

Figure 2 Fake invest ads - form on the Tiktok platform

Similarly to before, the attackers also developed applications (Fig. 3). These were intended to encourage supposed investments. These applications are fake but do not infect devices. Their purpose is to lend credibility to the phishing scenario.

 

Figure 3 Distribution of a Fake Data-Phishing App

 

Another method used by the criminals involves exploiting the image of the Polish Financial Supervision Authority (UKNF). In July 2024, the criminals once again created websites impersonating our organization (Fig. 4). They informed victims of a supposed need to undergo an "anti-money laundering" process. They sent a link to a "UKNF AI" website. There, the victim entered personal information, selected their bank, and provided login details for online banking.

 

Figure 4 Fake invest - impersonation of our organization

 

A recurring pattern is the second stage of the discussed scam. In this phase, the criminals publish information about a supposed opportunity to recover previously lost money (Fig. 5). In reality, this targets individuals who have already fallen for the scam before.

 

Figure 5 Fake invest - second stage scam

 

 

IMPERSONATING POLISH BANKS

Criminals use the image of well-known institutions to increase the credibility of phishing campaigns, regularly impersonating Polish banks. They use this method to steal electronic banking authentication data, payment card information, and encourage the download of malicious applications. In July 2024, criminals continued to use this method, distributing phishing sites through social media ads and email messages.


 FAKE GOOGLE ADS

Criminals impersonating Polish banks published ads on Facebook. They promised to award prizes. In reality, they were phishing for online banking login credentials.

Example Facebook Ads (Fig. 6):

Figure 6 Ads impersonating Polish Banks

Phishing sites (Fig. 5):

Figure 7 Phishing sites - impersonating Plus Bank

 

RANDOM CONTROL, IMPERSONATING BANK PEKAO

 

Criminals were impersonating Bank Peako. They sent emails informing a supposed need to conduct random checks of customer data to protect against unauthorized card transactions. The emails encouraged recipients to click on a link that led to a phishing site. This site mimicked the information about credit cards: full card number, CVC code, expiration date and 3DSevure codes.

 

Example e-mail message (Fig. 8):



Figure 8 Fake e-mail message - impersonating  Bank Peako

 

Phishing site (fig. 9):

Figure 9 Phishing site - impersonating Bank Peako

 


YOUR ACCOUNT IS EXPIRING, IMPERSONATING POLISH BANK 

Figure 10 Phishing site and SMS message - impresonating BNP Paribas

 

Figure 11 Phishing site and SMS message - impresonating ING

 

PRODUCTS AVAILABLE FOR PURCHASE FOR 9 PLN 

Cybercriminals published ads on the Facebook platform informing about the alleged opportunity to purchase items at low prices. In reality, the website linked from the ad aimed to phish for payment card details. Sebsequently, the criminals attempted to commit fraud using a "subscription model".

 

Example Facebook Ads (Fig. 11-12):

Figure 12 Fakes ads - sales for 9 PLN

 

Next, a form appeared requesting personal information and payment card details (Fig. 13).

Figure 13 Phishing sites

 

INCOMPLETE ADRESS - POLISH POST IMPERSONATION

Cybercriminals, impersonating Polish Post, informed about the need to update the address. A similar phishing campaign using Polish Post image occurred several times in 2023 and 2024.

Fake message (Fig. 14): 

 

Figure 14 Fake sms message - impersonating Post Polish

 

 

Phishing sites (Fig. 15):


Figure 15 Phishing site - impersonating Post Polish

 

CONFIRM ADRESS VIA LINK - INPOST IMPERSONATION

Criminals impersonated courier companies, this time using InPost’s image, informing about the need to complete the delivery address. They encouraged clicking a link leading to a phishing site to steal payment card information.

 

Fake SMS message (Fig. 16):

 

Figure 16 Fake SMS - impersonating InPost

Phishing site (Fig. 27):

 

Figure 17 Phishing site - impersonating InPost



Yet another month of this year has demonstrated that criminals are constantly refining their methods of operation. We consistently believe that conducting informational and educational activities is crucial.



That's why news about cyber threats and fraudulent trends are also published on the following our social media platform: TwitterLinkedIn and Facebook.