An SMS arrives on your cell phone saying that a huge amount of miles expires in the next few days. To redeem them, you must click on the message link and, there, enter your credit card details. But the site is fake, and the message, too. It’s a scam—and we explain how it’s done.
miles are the bait
A lot of people don’t even know what the card offers, the points usually win, and well, who doesn’t want to take the opportunity to get something that is available there and about to get lost, right?
The miles are just there for that: to get attention. Despite this, the objective is not to steal your points from the card. “What these criminals usually do is use these scams to gain access to their victims’ financial data and thus monetize the attack,” explains Daniel Barbosa, an expert in information security at ESET, to Techblog.
As they are usually associated with a credit card, it is a way to get to his data without causing great suspicion.
Barbosa comments that this is just one of the ways to hook the potential victim. “The devices for this are the most varied. Sometimes they are more seasonal topics, such as a religious holiday or commemorative date, but there are also scams that address more constant topics such as COVID vaccines, store promotions, registration updates and, of course, miles.”
And speaking of vaccine, ESET says it has registered a significant increase in phishing attacks in the pandemic.
no time to think
A common thread with many of these messages is feigning urgency — remember the SMS said the miles would expire in a few days, tomorrow or even today? This is part of the trick: not giving the victim time to think.
“This technique of pressuring victims with a sense of urgency unfortunately works a lot because it affects the psychological characteristics of human beings”, comments the specialist.
Rushing the target isn’t the only way to force the criminal to do what he wants. “There are several other ways, such as pretending to be a company or person the victim trusts, inducing the victim to believe that she did something wrong or arousing curiosity about a certain topic.”
The more targets the better
Maybe you think these scams are too sloppy. After all, you will never click on a link if you don’t have an X bank account, Y card or Z frequent flyer program mentioned in the SMS.
The issue here is scale: it’s easier to send the same message to as many people as possible, without trying to filter out who is a customer for each company. And this strategy is also more effective for profiteers.
“Many attacks are carried out on a large scale to increase the chances of criminals making new victims, and they know that many victims fall for these scams, even though they are not customers of the companies that the criminals pretend to be”, explains Barbosa.
O Techblog collected some prints of messages of this type received on different dates. Fake sites use company and program names — “livelo”, “bb”, “itau”, “points”, “rescue” and so on — and combine the terms to look like real sites.
Accessing these pages, however, is more difficult: practically all of them have already gone offline. Services such as Wayback Machine, which records a history of websites, also did not keep a copy. According to ESET, this may be an action by providers, but it is also part of the criminals’ modus operandi.
“Many of the campaigns don’t even last weeks, some of them are only on the air for a few hours, and still this time is enough for victims to fall for the coup”, says the specialist of ESET.
Tips for not falling for miles scam (and others)
Barbosa lists a series of behaviors and attitudes that help prevent you, in a moment of carelessness, from becoming another victim.
The first is do not follow procedures indicated in the message. The expert points out that real companies usually do not have them click on the link, but rather look for their official service channels, such as phone, website and apps.
Afterwards, it’s worth it suspect. Scammers will do anything to get your attention and force you to act quickly: miles that expire soon, high debts in your name and immediate need for registration updates are some of the ways to get you to act soon and fall into the trap.
The rule is to think twice even if the instruction comes from a friend or family member. “Many scams instruct victims to forward links via WhatsApp/email, so be suspicious even if you receive something from people you know.”
Other solutions include have an updated antivirus, which can help detect suspicious activity on your devices, and stay on top of the news about the latest scams being applied.