Among the social and technical changes during the covid pandemic has been meal kit delivery companies meeting demand for do-it-yourself recipe kits in lockdown. A number of scam campaigns have been impersonating companies, such as Gousto, over the last few weeks, reports a cyber firm.
Tessian suggests this is a clear attempt to capitalise on the latest trend in consumer demand. Tessian is warning users of the phishing scams and smishing attacks (phishing scams sent via text message) that claim to be from meal kit delivery companies.
Several of the phishing campaigns, sourced from Twitter, impersonate Gousto and ask users to rate the delivery to enter a prize draw, linking them to a fake website that is designed to steal personal and financial information, or harvest all important account credentials. As Tessian added, thousands of these SMS and WhatsApp messages are typically sent out at the same time. Some of scam texts are convincing, some have basic spelling errors.
Spelling errors are a tell-tale sign that it is not from a legitimate source; brands will rarely make such mistakes in their marketing campaigns, said Tim Sadler, CEO and co-founder of Tessian. “Also, keep an eye out for business and customer messages from unknown numbers or numbers starting with a local area code such as +44, as these are regularly associated with scam texts.
“Throughout the pandemic, we’ve seen cybercriminals jump on trending topics and impersonate well-known brands, with increasing sophistication. Often, scammers will register new web domains to set up convincing-looking fake websites, luring their victims to these pages using phishing scams, and then harvest valuable information.
“These scams are getting harder and harder to spot, with the perpetrators regularly coming up with new tactics to convince users to follow their link and input their confidential data. A general rule of thumb is that, if you’re ever not sure if something is a scam, then assume it is. You can always verify a message’s legitimacy with the company directly.”
Gousto has acknowledged the scams and has responded to users via Twitter.
Meanwhile the Chartered Trading Standards Institute (CTSI) has reported texts purporting to be from the online payment platform PayPal. The texts mimic official messages that inform the recipient that someone has logged into their account. It then asks the recipient to tap a link to a bogus website to report if this was not them. The website requests the account’s login details supposedly for verification and “(to) secure your PayPal account”, but the page sends the information to scammers, who may gain access to the PayPal account.
CTSI Lead Officer, Katherine Hart, said: “Many millions of people now use PayPal as a payment method and the surge in online shopping due to COVID-19 restrictions make this scam particularly dangerous in its potential impact. The public should verify with PayPal directly before engaging with any message, and they should forward scam texts to 7726, a free reporting service run by Ofcom. The public should reports scams such as this so that authorities can get a complete picture of the scale of this problem.
“So many people are bombarded by scam messages at this time, and we must inform our friends, family and social groups about this to mitigate the impact of these scams.”
And Adrien Gendre, chief product officer at the French email security company Vade, said that criminals are targeting people in Britain and across the world using fake CBD emails. “We often see phishers try to play on people’s fears, with recent scam emails using false promises of Covid ‘cures’ to trick victims into clicking on dangerous links or downloading malicious files.
“These CBD scams are particularly cynical, because many people use this cannabis-derived substance as an alternative medicine and believe it offers pain relief or treats anxiety. It’s upsetting to think that cyber-criminals would target people who have long-term illnesses or suffer from chronic pain. But that’s exactly what’s happening here. This latest scam hammers home an important anti-phishing message: be careful what you click on. If you’re a business owner or work in the IT department of a large enterprise, you should combine the very best email defence systems with education programmes to make sure employees can spot a phishing email.
“Remember: it only takes one careless click for hackers to gain access to a network and start to do serious damage. Once this happens, no amount of CBD will ease the financial and reputational pain of a hack.”
