Cyber criminals launched an online scam designed to trick U.K.-based retail stores' Marks and Spencer (M&S) customers into handing over confidential data by by impersonating the retailer’s CEO Steve Rowe. The fraudulent advertisements, uncovered by the Parliament Street think tank’s cyber research team, have been launched via social networking site Facebook from an unverified page entitled “Marks and Spencer Store.”
Users were bombarded with advertisements showing a man holding M&S branded bags, who is not Steve Rowe, accompanied with the message, “Hello everyone, my name is Steve Rowe and I am the CEO of Marks and Spencer! I’ve an announcement to make – To celebrate our 135th Anniversary, We are giving EVERYONE who shares & then comments by 11.59pm tonight one of these mystery bags containing a £35 M&S voucher plus goodies! Make sure you enter here [URL].”
Said Tim Sadler, CEO, Tessian "Phishing scams don't just reside in your inbox; hackers are increasingly using social media as another hunting ground for their victims. Using the lure of a prize giveaway, cybercriminals are hoping that people will click the URL link to 'enter' the competition. Those that do click are led to a malicious website that prompts them to enter valuable personal information and credit card details."
The fake URL takes users to an M&S branded portal where users are asked for their name, address, mobile phone number, and bank details including SORT code and account number in order to ‘enter’ the prize draw.
Thus far, according to Parliament Street, around 150 members of the public have been identified and reported the scam, which has been flagged to consumer groups and raised as an issue on social media.
In a statement via social media, Marks and Spencer commented, “We have been made aware of this and it isn't genuine, our colleagues are investigating further.”
Cyber security expert Andy Heather, VP, Centrify commented. "With more people than ever committed to online retail shopping due to Covid-19, it’s likely that we’ll see a surge of ‘exclusive’ or ‘one time only’ deals pop up on social media, via email, and through SMS messages, over the course of the next few months up until Christmas. Unfortunately, many of these sales and deals, much like this M&S one, will be a scam, designed to steal confidential data, such as payment details or log-in credentials."