URGENT: Warning against a phishing campaign that abuses the identity of Slovenská pošta

The National Cyber Security Centre SK-CERT warns against the ongoing campaign that abuses the identity of Slovenská pošta. The campaign is currently running via SMS messages (also called smishing). However, the attacker may also abuse other forms of communication (e.g. e-mails).

This is a large-scale phishing campaign. It uses statements that are not based on truth. A real goal of the campaign is to lure a victim into revealing a credit card number as well as personal data.

The principle of the campaign is that the attacker sends you an SMS informing you of the delivered package. Afterwards, you have to click on the link that leads to a fraudulent page. Here, you need to enter information about your payment card. Then, you are asked to enter an SMS token, which immediately comes to your phone number. The attacker, on the other side, uses this information and enters the payment card directly into payment systems via mobile devices (Apple Pay, Google Pay, Garmin Pay, etc.). Subsequently, the attacker can pay with his mobile phone without an additional verification through your bank (3D Secure Authentication), which is already mandatory today.

3D Secure Authentication is a method of additional verification of a financial transaction. For any payment where you do not pay in person with a card in the store or restaurant (the payment is not made physically through a POS terminal), but for example via the Internet (in an e-shop where you do not attach a card directly to the terminal), a temporary password for a particular transaction is issued to the user. This password can be received, for example, with an SMS code or via a special application of the bank, which, among other things, verifies such payments. Subsequently, during the transaction, the user is asked to enter this password for confirmation. From 1 January 2021, the verification with 3D Secure is a mandatory procedure that must be supported by all banks and merchants.

The National Cyber Security Centre SK-CERT in connection with this campaign and also other phishing campaigns RECOMMENDS the following:

  • First of all – do not respond, do not react and do not click.
  • If you received such an SMS or text message, slow down and give it some thought. Ask yourself simple questions – Have I really ordered a package? Can anyone ask me to do this?
  • Never provide your personal and financial data via SMS and text messages or links therein. No one except you is entitled to them. Under no circumstances should you enter your personal/login details on websites that are in any way suspicious or have no reason to request similar information.
  • If you receive an SMS message with a token to confirm the payment or to confirm another activity, neither give this token to anyone nor write it down. Such SMS tokens should confirm only activities initiated by you.
  • Do not trust the sender, whether it is a phone number or a name. The attacker can disguise himself as a trusted name or phone number. Therefore, always check such messages via official channels.

If you have received such a smishing message via SMS, please report it to us. There are two ways how to do it:

  • forward this SMS together with the phone number of the sender and recipient (your phone number) to our phone number + 421 903 993 706;
  • copy the SMS message together with the phone number of the sender and recipient and send it to an e-mail: incident@nbu.gov.sk. Please, follow this procedure also in the case of text services such as Whatsapp and Facebook Messenger.

« Späť na zoznam