/ Scams

Warning: fake supermarket Facebook posts shared thousands of times

Spoof Facebook accounts posing as Iceland and Morrisons have had their fake posts shared tens of thousands of times. Have you seen them?

You might have seen friends, family and members of public groups on Facebook sharing posts purporting to be Iceland and Morrisons lately.

The posts state that the supermarkets have ‘thousands of food products due to expire’ that they’d ‘normally bin’, but are instead giving it all away to anyone who shares and comments on the post. The cost of living crisis is even referenced, with the posts mentioning that they ‘know times are tough at the moment’.

These posts are fake and are nothing to do with Iceland or Morrisons. But that hasn’t stopped a combined 52,000 people from sharing the two examples we’ve seen with their Facebook friends.

Fake Iceland Facebook post

A spokesperson for Iceland said:

“This is not an Iceland Foods official account, and has no connection with our business. We are working with Facebook to have this removed as soon as possible, as we are seeing more and more of these type of pages and sites. We urge all of our customers, especially when a prize is offered, to triple check the page and its content and use the report function if any concern is raised.”

 

Fake Morrisons Facebook post

We reported this fake post to Morrisons as soon as we were made aware. A spokesperson said:

“These social media posts are designed by third-parties posting as Morrisons, for the purpose of fraudulent activity. Please do not click any links, open attachments or enter personal information. This is not a genuine post from Morrisons.”

How do fake Facebook posts work?

The goal of these posts is often to reach as many people as possible in the hope that some of them will click through to websites that request personal information. This will likely include contact information and, in some circumstances, bank details by requesting a card payment.

In a similar case in 2020, fake posts purporting to be from Currys were shared thousands of times on Facebook, telling people they could win a free TV if they tagged in three friends.

Like old-fashioned chain mail, the more people who share these posts, the more who will see them and pass them on. Eventually posts like these will have been seen by hundreds of thousands, if not millions of people, which will only make them appear more genuine.

As a result, the fake pages behind the posts will also build up a following. The fake Morrisons page we’ve seen has attracted more than 3,500 ‘likes’ – in other words people who are subscribed to the page’s content. This puts those people at risk of seeing more fake posts, and sharing them again with their Facebook contacts.

Spotting and dealing with Facebook fakes

As with the majority of scams and fakes that we warn the public about, these posts are offering something for nothing with a looming deadline. They’re attempting to rush people into sharing them without conducting any scrutiny.

Guide: how to spot a scam

You may have noted the absence of the blue ‘verified’ badge next to either account name in the above examples. Both Morrison’s and Iceland’s genuine Facebook pages have them – posts originating from from their legitimate pages will be accompanied by that tick:

We showed both posts and fake pages to Facebook. A spokesperson for Meta, the parent organisation, said:

“Fraudulent activity is not allowed on our platforms and we’ve removed the page brought to our attention. Major brands, such as Iceland Foods, are verified on Facebook. We’d recommend being wary of giving personal details to pages claiming to be major corporations without a blue tick by their name.”

If all you’ve done is share the fake posts on Facebook then you may want to reach out to your contacts and let them know not to click through on any of their links. However, if you’ve gone further and submitted personal information via the websites, be very wary of any follow-up contact on the details you gave.

If you think you’ve given bank details to fraudsters, let your bank know what’s happened immediately.

Guide: how to get your money back after a scam

Have you seen these fake posts on Facebook? Have you spotted other supermarkets and brands being spoofed by fake pages? Let us know in the comments.


Comments

The goal of these posts is often to reach as many people as possible in the hope that some of them will click through to websites that request personal information. This will likely include contact information and, in some circumstances, bank details.

It would be useful to expand on this – just what personal and bank details would be requested that could lead to fraud?

As far as I know, simply giving someone my name, bank sort code and account number should not lead directly to fraudulent use of my account. This information is routinely given and anyone who receives a cheque will see this. So what other information do people give out in response to these potential scams?

Malcolm r, providing a name, sort code and account number can absolutely lead to fraud. It has been discussed in other forums how scammers can set up Direct Debits to fraudulently obtain funds from Bank accounts.

A scammers is unlikely to gain approval directly with a Bank to become part of the Direct Debit scheme, but they can process Direct Debits through Merchants/Payment Processors. Under normal circumstances, reputable organisations setting up Direct Debits via a Merchant/Payment Processor would follow the Direct Debit Scheme rules, such as informing a consumer in writing and in advance before any funds are debited, but of course scammers will not do this and therefore consumers are unaware funds will be debited from their account. Typically, scammers will set up a Direct Debit for small monthly amounts in the hope these go unnoticed.

Consumers should therefore avoid disclosing ANY financial details whatsoever.

Thanks Wingman. The point I was making was that simple bank details are available from cheques.
I check my bank statement every month and reconcile it with payments I record, so would immediately spot an unexpected payment. I would be happy in the knowledge that my bank will refund any fraudulent payments taken from my account if all I have done is given away name, sort code and account number. I would not, on principle, normally disclose those to an unknown person and certainly not any other personal information.

As you indicated, account details are available on cheques, but as so few cheques are used these days, the risk of a cheque falling into the hands of an unscrupulous individual is relatively low.

The Direct Debit scheme rules are quite rigid and Banks have a responsibility to refund consumers once it has been identified the Direct Debit was set up fraudulently, so in general consumers have a high level of protection.

Malcolm wrote: “As far as I know, simply giving someone my name, bank sort code and account number should not lead directly to fraudulent use of my account.”

I believed that until Roger Pittock provided an example of account details being used to set up a direct debit: https://conversation.which.co.uk/scams/financial-ombudsman-service-psr-code/#comment-1640250

Yes, he did. But my point was that the information is, and has always (as far as I know) been on cheques, and while they are much less used now the principle is that this is not personal information we are told not to disclose. I was asking just what personal information these fraudsters request that we should not disclose that would lead to fraud and George has clarified that.

I have exchanged account name/account number/sort code with people to receive payments and have never had a problem but I hope that it would no longer be possible for someone to set up direct debit payments using this information.

I would like to see an investigation of whether the CVV printed on the back of debit and credit cards is supporting crime. The CVV is, like a PIN, supposed to be confidential information, so why print it on cards? It would be easy to place an online order and ask for it to be delivered to an alternative address. When I receive a new card I erase the number after making a note of it in case someone saw it when I was using the card. The banks have improved security in recent years but perhaps there is more that can be done.

I have never understood what contribution the CVV number makes to personal security.

It was introduced to ensure that when something was being purchased by telephone the person would actually have to have the credit card in their hand in order to read out the CVV. It then, intentionally or otherwise I don’t know, became a requirement for every purchase whether by mail order, telephone, or on-line and our CVV’s have joined all the other details that are no doubt in the scammers’ databases.

In the early days of credit cards it was not possible to order anything for delivery anywhere other than to the cardholder’s registered address. That soon went for an early bath as it stopped people sending flowers to their mother.

You are right about the former restriction on delivery to the cardholder’s address, John. To be able to arrange delivery to our post room at work I had to register a credit card under my work address. That remained in place for years until I retired.

PIN and CVV are both regarded as confidential information. It would be foolish to write your PIN on a card yet most cards have the CVV printed on them.

Someone might steal your credit and debit card details online but will not see your CVV unless they are in possession of your card. Therefore they will not be able to complete any transactions. That is their purpose, it seems.

We enter our PIN when completing a physical transaction, such as an in-store purchase or at an ATM. Why are we not simply asked for our PIN in online transactions? If they are secure enough to encrypt the card data they should protect the PIN.

The issues with credit cards are that the banks want us to use them with as little hassle as possible, yet the criminal fraternity are always attempting to make that ease of use a vulnerability.

Most banks are now starting to adapt their systems, thankfully, to allow those with no mobile signals to verify their card at home. It does mean a little build up of card machines in our homes, but does at least make it possible to order online with a CC with the minimum of fuss.

If a card is lost or stolen the company will usually reimburse the card holder for most or all losses and such payments have amounted to over £100 million per annum in the UK: https://www.statista.com/statistics/286259/united-kingdom-uk-lost-or-stolen-fraud-losses-on-plastic-cards/

I wonder how much this could be reduced by simple measures such as not printing CVVs on cards.

Roy H says:
23 April 2022

I check my bank statements online twice a week. That way It’s done in a matter of five minutes and as long as the end figure matches with my own accounts I’m happy. I just think that once a month is too long in between checks that’a all.

What percentage of credit card fraud is performed by criminals working inside the banking system? I know the SAGE security banks use has already been hacked from inside their own system.

I remain astonished that so many people cannot see that these ‘promotions’ are too good to be true. There is nothing subtle, cunning or sophisticated about them, so why do people believe them?

I suspect that the scammers really want people’s Morrisons or Iceland log-in passwords in the hope they will unlock other more lucrative doors.

When these people lose money by following up these “too good to be true” offers, are the banks required to use our money to refund them?

I have been looking for something that will retail for around £200 and will likely be bought online from a company I have never heard of.

Part of my search has been by image and quite a few too-good-to-be-true sites have turned up in my searches with 70% discounts. These sites are becoming a real problem.

The other thing, is the same product turning up on different sites that look the same but have different names. For these businesses, the parent company is often named, but you do have to be on the ball.

What puzzles me is the motivation some people have to pass on these posts to friends and family. What recognition do they expect to receive?

“Hey! Thanks for that scammy link you sent me yesterday. The thieving b******s have drained my bank account after I replied on your recommendation. Did not not think to check it out first?”

It was embarassing enough during Covid-19 with various hoax posts circulating. Having to politely tell friends not to pass on fake information about vaccines, conspiracies and worse, when they had no basis in fact or understanding of what they were forwarding, potentially risking physical harm to other gulllable people.

Some people just have to ‘share’. Does it make them feel important that they found something first? Sometimes they get something out of introducing friends and family but it doesn’t occur to them to ask first.

Years ago, I was furious when my email address was added to a pyramid scheme without my consent. The email contained hundreds of addresses that were harvested by spammers.

Trevor A says:
25 April 2022

There are also the Center Parcs scams still going on via Facebook, who don’t think they need to be removed. https://www.facebook.com/search/top?q=center%20parcs%20longleat%20forest