Shoppers are being warned of a convincing scam that promises a free £100 John Lewis voucher to “celebrate the retail giant’s 96th anniversary”.
Victims are sent a message via WhatsApp which says: ‘Johnlewis is giving away a £100 voucher to celebrate its 96th anniversary. Enjoy and thanks me later’. The message appears to be from the recipient’s family and friends which adds further credibility to the scam and tricks unsuspecting victims.
However, the message does contain a number of grammatical and spelling errors which is often a red flag to look out for on phishing scams.
In order to claim the voucher, recipients must visit a convincing phishing website which is set up to harvest personal information, such as full name, age and postal address. Using this information, cybercriminals can then sell the data, exploit it to break into other accounts, attempt to steal identities or even hold the data ransom.
These types of smishing attacks are growing more prominent today as cybercriminals turn to another medium that users trust more than their email. With more than 90% of SMS text messages opened within 3 seconds, this evokes the sense of urgency that is a necessity for a social engineering attack to take place.
The fraudulent website includes a countdown of remaining vouchers to encourage victims to act quickly and create a sense of urgency. This is a common trait of phishing scams that attempt to drive an emotional reaction and exploit a users’ desire for reward and personal gratification.
It then pretends to work out if they are qualified to get a voucher, before asking for details of which store the victim would like to visit and their address. In an effort to spread the scam further, recipients of the message are also asked to forward the offer with their WhatsApp contacts.
To add further legitimacy, the website displays the John Lewis logo and contains the brand name within the URL.
The John Lewis scam comes at a particularly tempting time in the lead up to Christmas and as savvy shoppers continue to seek Black Friday and Cyber Monday bargains.
A spokesperson from John Lewis told The Sun: “John Lewis & Partners takes Cyber Security very seriously. If a customer receives the scam message they should delete it immediately and avoid clicking on the link. We’ve alerted Action Fraud and are investigating further as a matter of priority.”
With more people than ever getting caught out by phishing scams and clicking on URLs that are designed to steal sensitive information, there are a number of simple ways to protect yourself and your business from phishing.
- Never click on links or download attachments from unknown sources.
- Always verify the security of a website.
- Pay close attention to the spelling of an email or web address, if there are any inconsistencies, delete immediately.
- Verify all links sent by family and friends to confirm they knowingly sent you the specific link.
- Ignore and delete emails with poor grammar and formatting.
- Never respond to a text message that conveys a high sense of urgency or panic and demands immediate action.
- Use strong passwords to reduce the chance of devices being hacked and use different passwords for different accounts.
- Question the validity of any email that asks you to submit personal or financial information.
MetaPhish has been created to provide a powerful defence against these threats and enables organisations to find out just how susceptible their company is to attack. If you would like to find out more about how MetaPhish can be used to protect your business, then get in touch for further information.