Cyber criminals have launched an audacious online scam designed to trick Marks and Spencer (M&S) customers into handing over confidential data by attempting to impersonate the famous High Street retailer’s CEO Steve Rowe.
The fraudulent adverts, uncovered by the Parliament Street Think Tank’s cyber research team, were launched via social networking site Facebook from an unverified page entitled ‘Marks and Spencer Store’.
Users have been bombarded with adverts showing a man (who’s not Steve Rowe) holding M&S-branded bags accompanied by the message: “Hello everyone. My name is Steve Rowe and I’m the CEO of Marks and Spencer. I’ve an announcement to make. To celebrate our 135th Anniversary, we’re giving EVERYONE who shares and then comments by 11.59 pm tonight one of these mystery bags containing a £35 M&S voucher plus goodies! Make sure you enter here [URL].”
The fake URL takes unsuspecting users to an M&S-branded portal where they’re asked for their name, address, mobile phone number and bank details including sort code and account number in order to ‘enter’ the prize draw.
Around 150 members of the public had identified and reported the scam, which was flagged to consumer groups and raised as an issue on social media.
In a statement, Marks and Spencer commented: “We have been made aware of this advert and it isn’t genuine. Our colleagues are investigating further.”
Cyber security expert Andy Heather, vice-president of Centrify, observed: “With more people than ever committed to online retail shopping due to COVID-19, it’s likely that we’ll see a surge of ‘exclusive’ or ‘one-time only’ deals pop up on social media, via e-mail and through SMS messages over the course of the next few months up until Christmas. Unfortunately, many of these sales and deals, much like this M&S one, will be a scam designed to steal confidential data, such as payment details or log-in credentials.”
Heather continued: “If people may have already fallen victim to a scam of this nature, it’s essential that they take proactive measures to stop these scammers in their tracks. This requires individuals to report these scams to the impersonated brand, freeze bank accounts and change log-in details. It’s very common for attackers to hold on to stolen log-in credentials for months after an attack, waiting for the victim to drop their guard before re-breaking in to other accounts protected by the same password.”
Tim Sadler, CEO at Tessian, explained: “Phishing scams don’t just reside in your Inbox. Hackers are increasingly using social media as another hunting ground for their victims. With the lure of a prize giveaway, cyber criminals are hoping that people will click the URL link to ‘enter’ the competition. Those that do click are led to a malicious website that prompts them to enter valuable personal information and credit card details.”
Sadler concluded: “As we head into the busy pre-Christmas shopping season, we can only expect to see more of these types of ‘sale’ scams emerge online. Treat these posts just like you would any phishing e-mail. Ask yourself if this deal seems legitimate and verify the identity of the person requesting you to take action before clicking on any links. In this instance, the scammers have used a picture of someone who isn’t the CEO of M&S. If you’re still unsure, visit the retailer’s website and official social media channels to cross-check that the deal has been mentioned elsewhere.”