/ Money

Beware this Argos number spoofing scam

A refund of £247 from an ‘overpayment’ to Argos sound too good to be true? That’s because this is a number spoofing scam. Have you received one?

The slow cooker I ordered from Argos back in September certainly didn’t cost £247, so when I got a text from them promising a refund of that much, I instantly questioned it.

But that’s not to say I wasn’t briefly excited about the unexpected windfall. At this time of year especially, that much money would go a long way.

The SMS not only looked legitimate, but also dropped itself into the chain of official texts I’d already received from Argos telling me my slow cooker was ready for collection.

Argos number spoofing scam

Number spoofing is one of the scams featured in our 12 scams of Christmas, where we tell people what they should watch out for at this time of year.

In this type of scam, fraudsters hijack a chain of texts from a legitimate organisation, such as your bank, a shop or government department to trick you into following a link.

Don’t follow the link

In the case of my message from Argos, I didn’t follow the link as I didn’t want to risk it. But often it will either take you to a site where you’ll be prompted to put in your personal and/or banking details, or the site could contain malware which will infect your phone.

These scams can cost victims thousands of pounds.

We told Argos about the scam message and a spokesperson said:

Customers should always be mindful of phishing scams. This message is not from Argos and we are advising customers to delete it

The UK’s largest mobile providers recently pledged to stop fraudsters from being able to spoof banks by fixing a flaw in the system. This should go long way to stop this type of fraud, but why hasn’t this been done sooner? And how long it will take to roll out to other industries?

Read more: how to spot a messaging scam

How to report a scam message

You can report scam and spam texts directly to your mobile phone provider by forwarding it to 7726, which is free of charge.

Never respond to scam texts, because this will just confirm that your number is live. Simply delete the text after you’ve reported it.

If you’re unable to forward the message or you can’t see the number it came from, you should report it to Action Fraud’s phishing tool.

Have you ever received any scam messages which were number spoofed? If so, who did they purport to be from and what did you do?

Comments

I am glad Which ? has so much confidence in this “flaw fixing” by mobile operators , personally I dont but time will tell .
On the same type of issue involving mobile phones the USA, always 10 steps ahead of the UK has found a way of verifying BEFORE it reaches the recipient if the call is coming from where it should come from.
Its done electronically in the exchange .
While it doesn’t apply to ordinary land-lines it does to all mobile traffic .
Many still didn’t believe me when I said it could be done but there you go.
Spoofing/scam calls etc will in the USA ONLY be reduced significantly but if the recipient still wishes to receive the call then that will be their lookout.
I can tell you now BT will be looking at this already in conjunction to what it plans some years down the road.

As nobody has added any posts to this convo I will .
You all know about the newish transference to HTTPS usually signposted as a green padlock and the much better security of website communication but I hope nobody gets carried away as to what technically it applies to .
It means you have much less chance of “man in the middle attacks ” or of interception and translation but thats all that it means . It does not amount to any protect once you reach the website , that website could be full of malware so for additional help you have to look at the certificate and check it .
Certificates can be given out free by one company I wont name . All browsers have the means of checking certificates .
Spoofing of those green padlocks has already started so check the website certificate thoroughly, more to come.
Okay- read this –
By itself, https only means that you have an encrypted session with a web site. It does not tell you anything about the web site. To find out more about who you are connected to, you have to dig into the sites security certificate. Most of the details in security certificates are gobbledygook to me, but there is one certificate field with information mere mortals like me can understand; Subject. It has details such as the company name, city, state, and country.
Click the lock next to the URL in the address bar, then;
* In Google Chrome, Certificate (Valid), Details tab, Subject field
* In Firefox, next to the top section, More Information, View Certificate, Details tab, Subject field.
* In Microsoft Edge, View certificate, the Subject fields are right there.
* In Internet Explorer, View certificates, Details tab, Subject field.

Does the Subject field data seem reasonable? If you think you are on Facebook and O (organization) is listed as Fakebook, Inc., or if you think you are on your North American banking site and C (country) is elsewhere, beat a hasty retreat!

DerekP says:
19 December 2018

I note the cunning spoof web address here:

argos.co.uk.customers-gateway-account.com/login

1) it starts with http not https

2) it contains argos.co.uk – Argos’ UK address as a sub-string, but followed a dot instead of a slash

3) it’s a generic address – it doesn’t contain any customer or order related hash, which you might expect in specific correspondence

4) at least as of just now, this spoof url is red-flagged as dodgy here in Chromebook land.

My search engine and/or browser has blocked that URL Derek all the Argos references are -https except companies overseas with the same title .
The first line on the webpage is the official one with a good DigiCert certificate , there again I have -HTTPS Everywhere so I either get a block page and /or an additional note from the browser telling me it cant reach the location.
Its certainly made a difference to any perceived attack attempts cutting out a lot of that type of spoofing.

Cary payne says:
21 December 2018

So many scams these days!
My latest one was a man of Asian persuasion telling me
I have a tax rebate & they need my account details to
transfer the money to my account!
Yeah course I will 😂😂😂
So I say hold on I will get you my details, so I have the
phone on speaker and I hear him getting irate as I sit
back with a cup of coffee laughing my head off!
Good fun if your bored. 😉

merlin says:
23 December 2018

whatever device, if your knowledge begins and ends with the on off switch

A student of Confucianism no doubt Merlin ?

DerekP says:
6 May 2019

In a related scam, I just received a text telling me that my PayPal account had been frozen and directing me to login to a weblink a bit like “paypal.co.uk.xxxx.yy” to verify my bank details.

This turned out to be exactly the kind of phishing scam that PayPal warn their customers about.

I no longer use PayPal, so I was easily able to assume that the message would be a scam.

Investigating further showed that:

1) the link goes to a fake PayPal login page. If I had logged in with a real PayPal id and password, then the scammers would have got those details.

But, because it was a fake login in page, it let me login with fake details.

The next page then required all my personal data and bank details – for the revalidation my PayPal account. Again this would take data, after which it logged me out and asked me to log in again. Presumably at this point, it might even have pointed me at the real PayPal login page.

[This comment has been edited to remove personal information. Community guidelines: https://conversation.which.co.uk/commenting-guidelines ]