Overview of selected scams - October 2024

 

We present the report on identified threats and the methods of operation by criminals for the month of October 2024. This document highlights selected risks to customers of Polish banks. We encourage you to review the material.

The document does not cover threats that have been known for many months and were described in an earlier report, such as the "classicscam", phishing schemes posing as streaming platforms, fake shops and other. It is essential to remember, however, that these scenarios are still being used by criminals, and we must continually work against them.

FALSE INVESTMENT SCHEMESS

A well-known but still very popular fraud scenario is fake investments. This scam involves cybercriminals impersonating famous people or institutions to entice potential victims to invest money with promises of high returns, only to cause significant financial losses. Additionally, in October 2024, CSIRT KNF analysts also reported 277 fake profiles that posted fake investment ads for blocking (fig. 1).



 

Figure 1 Fake investment ads distributed on the Facebook platform

 

In October 2024, a common theme they referenced was related to artificial intelligence (fig. 2).

Figure 2 Fake investment ads distributed on the Facebook platform

 

After clicking the link in the advertisement, the victim was directed to a website where the criminals attempted to obtain their contact information fraudulently (fig. 3-4).

Figure 3 Fake Invest - contact data phishing page 1/2

 

Figure 4 Fake Invest - contact data phishing page 2/2

 

It is worth noting that in October 2024, most of the detected ads pertained to the second stage of the described scheme. In this stage, the criminals deceive individuals who were previously scammed, under the pretense of a supposed opportunity to recover the money they had initially lost. In reality, this is another attempt to defraud individuals who have already fallen victim to this scenario once before (fig. 5).

 

Figure 5 Fake invest - second stage of the described scheme

 

 

 IMPERSONATING POLISH BANKS

Criminals exploit the image of well-known institutions to increase the credibility of phishing campaigns, which is why they regularly impersonate Polish banks. In doing so, they fraudulently obtain information such as payment card details, online banking credentials, and BLIK codes. In October 2024, the preferred methods for distributing fake websites impersonating banks were SMS, social media ads and Google ads.

 

 SMS YOUR BANKING IS EXPITING - FRAUDULENT SMS MESSAGES

Criminals impersonated BNP Paribas Bank and Santander Bank Poland by sending SMS messages. They falsely claimed that access to online banking was expiring. They encouraged users to click on the link included in the message. In reality, it led to a phishing website designed to resemble a legitimate one, with the goal of stealing login credentials for online banking.

Example SMS messages and phishing sites (fig. 8-9):

 

Figure 8 Bank impersonation - SMS messages and phishing site 1/2

 

Figure 9 Bank impersonation - SMS messages and phishing site 2/2

 

EXTRA 3% ON YOUR DEPOSIT: FRAUDULENT ADS ON THE FACEBOOK PLATFORM 

Criminals impersonating polish banks published ads on the Facebook platform, claiming the possibility of receiving an additional 3% on deposits. In reality, the link led to a phishing site, where the attackers attempted to steal online banking login credentials.

Example fake ads (fig. 10):

Figure 10 Fake ads - impersonating polish banks

 

 

 IMPERSONATION OF IPKO BIZNES, GOOGLE SEARCH POSITIONING

Criminals impersonating PKO Bank Polski purchased ads on Google search and linked them to fake websites closely resembling the login pages for the bank's electronic banking services for business clients. By doing this, the attackers exploited search engine positioning. When users entered a search query on Google intending to find the legitimate banking site, the top results displayed were paid advertisements, which in this case were fraudulent sites. This approach aimed to deceive users into disclosing their electronic banking login credentials.

 

Example fake ads (fig. 11):

 

 

Figure 11 Google search positioning - impersonating of PKO Bank Poland

 

 

 DO YOU WANT THE PACKAGE? CLICK ON THE LINK!

Criminals impersonated courier companies, this time using the branding of Poczta Polska, claming that the delivery address needed to be completed. They encouraged clicking a link leading to a phishing site to steal payment card information.

 

Fake e-mail messages and phishing sites (Fig. 12):

Figure 12 Phishing e-mail and website - impersonation of Poczta Polska

 

Yet another month of this year has demonstrated that criminals are constantly refining their methods of operation. We consistently believe that conducting informational and educational activities is crucial.



That's why news about cyber threats and fraudulent trends are also published on the following our social media platform: TwitterLinkedIn and Facebook.