Smishing Scams Targeting Android Users with Fake Reward Offers 

10.06.24

Threat Intelligence Alerts

In recent weeks, cyber criminals have been conducting widespread smishing campaigns aimed at defrauding customers of major UK mobile networks Vodafone and EE.  These campaigns attempt to lure victims into giving up their credit card details under the guise of redeeming reward points for free products. 

 The scam begins with an SMS message appearing to come from their mobile carrier. The message claims the recipient can redeem “bonus points” by visiting a website link included in the message. The urgency is heightened by stating there are only a limited number of days to claim the points on products like headphones and other small electricals. 

If the victim clicks the link, they are taken to a fraudulent website mimicking the legitimate mobile carrier’s branding. After selecting a supposed free reward product, they are prompted to enter personal information and credit card details, under the pretext of paying a small delivery fee. 

However, this is simply a ploy to trick victims into handing over their payment details. Entering the one-time passcode sent by the bank in this process allows the criminals to fraudulently add the victim’s card to a digital wallet under their control. 

At this stage, the fraudsters have everything they need to make unauthorised purchases using the stolen credit card credentials. Meanwhile, the victim is left under the impression they have legitimately paid a delivery fee for the promised free gift. 

Defending Against Smishing To avoid falling victim: it’s crucial to be wary of any unsolicited text messages promising free rewards, even if they appear to come from a trusted company. Legitimate businesses should never ask you to re-enter payment details or one-time codes in this manner. 

Never click on links in suspicious SMS messages: If you have inadvertently entered information on a suspected scam website, contact your bank immediately to place a hold on the compromised card and dispute any unauthorised transactions. 

You can report smishing attempts to 7726: a free spam text reporting service, you can ‘forward’ the message to this number. Android users can also utilise the “Report Spam” feature in the messaging app for suspicious texts. 

Reporting fake websites: you can report a suspected fake/fraudulent website to the NCSC by completing the online for here.