Overview of selected scams - July 2024

We present the report on identified threats and the methods of operation by criminals for the month of July 2024. This document highlights selected risks to customers of Polish banks. We encourage you to review the material.
The document does not cover threats that have been known for many months and were described in an earlier report, such as the "classicscam", fake Facebook login panels, fake shops and other. It is essential to remember, however, that these scenarios are still being used by criminals, and we must continually work against them.
FALSE INVESTMENTS SCHEMESS
A well-known but still very popular fraud scenario is fake investments. This scam involves cybercriminals impersonating famous people or institutions to entice potential victims to invest money with promises of high returns, only to cause significant financial losses.
In July 2024, we also detected fraudulent investment ads being distributed through the TikTok platform (Fig. 1).

Figure 1 Fake invest ads distributed on the TikTok platform
After clicking on the ad, the victim is directed to a form where they fill out their contact information (Fig. 2). In the next step, the criminals call the victim by phone.

Figure 2 Fake invest ads - form on the Tiktok platform
Similarly to before, the attackers also developed applications (Fig. 3). These were intended to encourage supposed investments. These applications are fake but do not infect devices. Their purpose is to lend credibility to the phishing scenario.

Figure 3 Distribution of a Fake Data-Phishing App
Another method used by the criminals involves exploiting the image of the Polish Financial Supervision Authority (UKNF). In July 2024, the criminals once again created websites impersonating our organization (Fig. 4). They informed victims of a supposed need to undergo an "anti-money laundering" process. They sent a link to a "UKNF AI" website. There, the victim entered personal information, selected their bank, and provided login details for online banking.

Figure 4 Fake invest - impersonation of our organization
A recurring pattern is the second stage of the discussed scam. In this phase, the criminals publish information about a supposed opportunity to recover previously lost money (Fig. 5). In reality, this targets individuals who have already fallen for the scam before.

Figure 5 Fake invest - second stage scam
IMPERSONATING POLISH BANKS
Criminals use the image of well-known institutions to increase the credibility of phishing campaigns, regularly impersonating Polish banks. They use this method to steal electronic banking authentication data, payment card information, and encourage the download of malicious applications. In July 2024, criminals continued to use this method, distributing phishing sites through social media ads and email messages.
FAKE GOOGLE ADS
Criminals impersonating Polish banks published ads on Facebook. They promised to award prizes. In reality, they were phishing for online banking login credentials.
Example Facebook Ads (Fig. 6):
Figure 6 Ads impersonating Polish Banks
Phishing sites (Fig. 5):

Figure 7 Phishing sites - impersonating Plus Bank
RANDOM CONTROL, IMPERSONATING BANK PEKAO
Criminals were impersonating Bank Peako. They sent emails informing a supposed need to conduct random checks of customer data to protect against unauthorized card transactions. The emails encouraged recipients to click on a link that led to a phishing site. This site mimicked the information about credit cards: full card number, CVC code, expiration date and 3DSevure codes.
Example e-mail message (Fig. 8):

Figure 8 Fake e-mail message - impersonating Bank Peako
Phishing site (fig. 9):
Figure 9 Phishing site - impersonating Bank Peako
YOUR ACCOUNT IS EXPIRING, IMPERSONATING POLISH BANK 
Figure 10 Phishing site and SMS message - impresonating BNP Paribas

Figure 11 Phishing site and SMS message - impresonating ING
PRODUCTS AVAILABLE FOR PURCHASE FOR 9 PLN
Cybercriminals published ads on the Facebook platform informing about the alleged opportunity to purchase items at low prices. In reality, the website linked from the ad aimed to phish for payment card details. Sebsequently, the criminals attempted to commit fraud using a "subscription model".
Example Facebook Ads (Fig. 11-12):
Figure 12 Fakes ads - sales for 9 PLN
Next, a form appeared requesting personal information and payment card details (Fig. 13).

Figure 13 Phishing sites
INCOMPLETE ADRESS - POLISH POST IMPERSONATION
Cybercriminals, impersonating Polish Post, informed about the need to update the address. A similar phishing campaign using Polish Post image occurred several times in 2023 and 2024.
Fake message (Fig. 14):

Figure 14 Fake sms message - impersonating Post Polish
Phishing sites (Fig. 15):

Figure 15 Phishing site - impersonating Post Polish
CONFIRM ADRESS VIA LINK - INPOST IMPERSONATION
Criminals impersonated courier companies, this time using InPost’s image, informing about the need to complete the delivery address. They encouraged clicking a link leading to a phishing site to steal payment card information.
Fake SMS message (Fig. 16):

Figure 16 Fake SMS - impersonating InPost
Phishing site (Fig. 27):

Figure 17 Phishing site - impersonating InPost
Yet another month of this year has demonstrated that criminals are constantly refining their methods of operation. We consistently believe that conducting informational and educational activities is crucial.
That's why news about cyber threats and fraudulent trends are also published on the following our social media platform: Twitter, LinkedIn and Facebook.