Thoughts about latest phishing attacks 🐡

On social media, it seems there’s a drastic increase in in phishing attempts. From various senders, various messages state a locked account needs verification. Or they are disguised as “confirmation codes” that someone tried to get access, and one should check with support here, if one, as the account owner, didn’t do that. And then they are phishing for personal details while concerned users try to get in contact with support: here is of course a fake website.

A lot of users are concerned that fraudsters had access to Revolut’s customer database. How else would they know that one has a Revolut account? Valid point. But here are some thoughts why I don’t think this is what’s happening.

There are numerous posts on social media from people that claim they were targeted even though they never had a Revolut account.

The majority of targets seem to be UK numbers. The phishing websites seem to be exclusive in English. It seems reasonable enough, considering those two things, that phone numbers are simply generated randomly.

The phishing attempts are clever, but very basic in design. More elaborate phishing attempts usually try to exploit knowledge about a person to be super convincing. If there would have been a breach of Revolut’s customer data base, I would expect more personalized, more convincing attempts. The text message phishing attempts rely on disguising the sender, and they take advantage of Revolut’s struggles with locked accounts. But there’s no indication that fraudsters actually know the targets.

Still, if the attacks are more targeted than simply generating thousands of random UK mobile phone numbers, there are other ways to verify if someone uses a service. Most digital services are affected by user enumeration vulnerabilities. Imagine a bot, running the app in an android emulation on a computer, “trying stuff”.

The easiest way to identify those latest phishing attacks is: look closely at the linked URL. Anything that is not the original URL https://www.revolut.com/ is 99,999% fraud. Sub-domains can be valid (example: https://community.revolut.com/), but as soon as the actual domain, the last part with the .com at the end, is different: be extremely careful. It’s fraud more often than not.

Having said this: Revolut did use third parties in the past for surveys for example, so there are occasions where they send out links to other URLs.

1 Like

If you encounter Phishing, please forward it to the support so their security team can try to take actions against it

Yeah, I got a smish last night. In the same thread as all my previous genuine Revolut notifications, which was a little weird. Didn’t click obviously.

Yes, unfortunately there’s no way for Revolut to prevent this. The “thread” is generated by the phone, based on the sender ID. And sender ID can be faked relatively easily. That’s why checking the link is super important.

Thanks. I presumed that would be the case but previous smishes I’ve had from other orgs have never gone that extra step successfully. Wasn’t actually a very good smish though so no danger!

This post was flagged by the community and is temporarily hidden.

Moreover the UK Government has a place to forward/report phishing emails and texts to iirc.

But to echo what @Frank has said, Revolut hasn’t been breached. They’ve just got the largest customer base among neobanks. But they also don’t have the robust phone support of regular banks. So while RBS or Lloyd’s would have a lot broader range of attack in these regards, it’s much more unlikely to cause an issue for these bank customers considering their large financial prowess, decades of fraud detection and the easy ways that customers can get in contact within 3 rings of a phone.

Makes Revolut a great target because besides messaging in the app, you can’t really query it. Sometimes app wait times can be 10-30 mintues for Metal users. They should get a phone line and number that we can forward phishing texts to!

Hi,

Unfortunately I fell victim to one of these attacks. Got a text message that my account was temporarily locked and filled out the details they’ve asked for thus giving access to my account. Unfortunately when I realised it was too late. I called the Revolut number to block my card but every time I enter my phone number they say it’s incorrect (I tried +44, 0044 for a country code). They’ve obviously replaced my number in the app? I completely lost access to my card. And they managed to transfer GBP200 from my regular bank account before I blocked it. How can I reach out to anyone at Revolut without app access and automated service not accepting my number??? Please advise. Maria

I would head over to Twitter.

Morning. can you help. I have recently recieved an email from no-reply@revolut.com requesting Submit new ID. This was a request for additional ID to confirm my UK address using my driving licence or passport. I cant find any comments on the comunity pages that it might be a phishing email. any advic would greatly appreciated.

Thanks Flyhkb.

Thanks just did. Hopefully it’ll help. The support at revolut is poor when it comes to emergencies. I expect them to contact me first to let me know they detected a fraudulent activity in my account like it happens with other banks (had the same situation with lloyds and bank of ireland a few years ago was resolved in no time). Also I constantly get notifications from the regular banks with fraud prevention messages… Is Monzo better in this regard?

I have had exactly this issue today. No account access - no app based chat - no web-chat…no person at the end of the phone…I had and 450 quid in GBP and EUR - was actually in the app and had hit freeze on the card - before the app went blank…presumably as the fraudsters had gained access and changed access settings and will have unfrozen it, to boot. Gutted - I am usual so careful. Have cancelled linked cards to account etc… and am feeling like a right plum.

Go on the live chat with revolut
I would not respect email like this

This post was flagged by the community and is temporarily hidden.