On social media, it seems there’s a drastic increase in in phishing attempts. From various senders, various messages state a locked account needs verification. Or they are disguised as “confirmation codes” that someone tried to get access, and one should check with support here, if one, as the account owner, didn’t do that. And then they are phishing for personal details while concerned users try to get in contact with support: here is of course a fake website.
A lot of users are concerned that fraudsters had access to Revolut’s customer database. How else would they know that one has a Revolut account? Valid point. But here are some thoughts why I don’t think this is what’s happening.
There are numerous posts on social media from people that claim they were targeted even though they never had a Revolut account.
The majority of targets seem to be UK numbers. The phishing websites seem to be exclusive in English. It seems reasonable enough, considering those two things, that phone numbers are simply generated randomly.
The phishing attempts are clever, but very basic in design. More elaborate phishing attempts usually try to exploit knowledge about a person to be super convincing. If there would have been a breach of Revolut’s customer data base, I would expect more personalized, more convincing attempts. The text message phishing attempts rely on disguising the sender, and they take advantage of Revolut’s struggles with locked accounts. But there’s no indication that fraudsters actually know the targets.
Still, if the attacks are more targeted than simply generating thousands of random UK mobile phone numbers, there are other ways to verify if someone uses a service. Most digital services are affected by user enumeration vulnerabilities. Imagine a bot, running the app in an android emulation on a computer, “trying stuff”.
The easiest way to identify those latest phishing attacks is: look closely at the linked URL. Anything that is not the original URL https://www.revolut.com/ is 99,999% fraud. Sub-domains can be valid (example: https://community.revolut.com/), but as soon as the actual domain, the last part with the .com at the end, is different: be extremely careful. It’s fraud more often than not.
Having said this: Revolut did use third parties in the past for surveys for example, so there are occasions where they send out links to other URLs.