Fraudsters Abusing Link Shortening Tools to Dupe EE Customers into Accessing Phishing Sites

EE customers are being warned to stay vigilant after a spate of phishing scams was uncovered in which scammers used URL shortening tools to disguise malicious phishing links.

Which? magazine, which reports on fraud and scam trends, said that it had seen almost a dozen versions of the scam during its investigation. Each version referred to the victim having unclaimed ‘points’ or ‘prizes’ on their EE account which are about to expire.

One such message, which was received from a “random mobile number” purporting to be EE, said:

“EE: Sorry to bother you, there are 5340 points in your account that were not successfully used due to system failure. The points will expire in three working days. Please click the link below to redeem your prizes in time!” The message then included a shortened link—which we have omitted here – followed by the sign-off: “EE wishes you a happy life!”

The link in this particular message directed the receiver to a very sophisticated copy of the genuine EE website, complete with logos, social media links, and other official – and legitimate – EE pages; users were prompted to enter their EE phone number before being taken to another page to “redeem your points” by choosing from a selection of products and entering their home address.

Although not confirmed in the Which? article, it is likely that the details gathered by the fake website could then be used by the scammers to either impersonate EE further and convince the victim to part with money, provide personal information or to access the victim’s other accounts.

‘Phishing’ – pronounced ‘fishing’ – is when scammers or criminals use fake but (usually) convincing emails, texts, or phone calls to get victims to share personal information such as bank details, card information, passwords, and other personal details.

In most cases, the communication will come from a number or email address that mimics the genuine company or individual’s details, so the victim believes that it is genuine. There is often a website link to click on, where sensitive information is collected.

In the 10 different types of phishing text scams seen by Which? they all used link-shortening tools to mask the malicious URLs used to harvest the victims’ data.

Link shorteners – also known as URL shorteners, link compressors, and link shrinkers – are pieces of software that take a long URL and convert it into a shorter URL with fewer characters, usually just a randomised sequence of letters and numbers. Companies use these legitimately to take up fewer characters in texts and social media posts or to allow them to track the traffic to a particular web page.

However, scammers have realised that these shortened URLs can be used in their schemes to mask their dodgy, fake websites and avoid making victims suspicious; these disguised links, combined with genuine-looking phishing sites, make it extremely easy for scammers to convince their victims that everything is above board while they harvest their sensitive information.

It is important to stay vigilant when receiving texts or emails containing links – even if you are convinced that the sender is genuine. Although not all scam texts are the same, there are some hallmarks and red flags to be aware of that may indicate that all is not as it seems:

• The text is poorly written and contains grammar and spelling mistakes.
• It asks for you to share sensitive personal information, such as logins, card information, or bank details.
• It includes a link to follow, particularly if the link has been shortened.

If you receive a suspicious message or one out of the blue – even if it appears to be from a real individual or organisation – contact the sender directly to confirm that the communication is genuine. Alternatively, sign on to your account using a separate web browser and your usual login details, not via the link in the message.

The aim of a phishing scam is for the scammer to glean enough sensitive information from a victim that they can go on to commit other crime. The details may be sold to other fraudsters, they may be used to fraudulently apply for loan or credit cards or they can be used to convince the phishing victim to part with their money, through impersonation, manipulation, and social engineering.

In many cases, this leads to Authorised Push Payment (APP) fraud, so-called because the victim willingly shares their card or bank details or authorises a transaction from their account as a result of coercion by the scammer. APP fraud can take many forms, including:

• Impersonation scams: in which the scammer poses as a trusted individual or company – such as a bank, building society, or utilities provider – and convinces the victim to make a payment.
• Romance scams: in which the victim is duped into believing they are in a romantic relationship with the fraudster – usually online – and is then asked to send money for emergencies or to pay bills.
• Investment scams: the victim is approached about an ‘unmissable opportunity’ and convinced to invest their money into a scheme that either does not exist or is likely to fail.

In the UK, banks are responsible for safeguarding consumers from money laundering and scams by having procedures and systems in place that detect, stop, and warn consumers if they are at risk.

In an APP scam, once the money is in the hands of the scammers, it often proves very difficult to recover, but there are options for compensation. When you report the scam to your bank, they should conduct their own internal investigation; sometimes, this is sufficient to secure a refund. However, where the bank believes that the victim should be liable for the money lost due to their own action or inaction, the complaint can be escalated to the Financial Ombudsman Service (FOS) for an investigation.

FOS is an independent government-backed body responsible for investigating and resolving disputes between financial institutions – such as banks – and their customers. Increasingly, FOS is finding that banks in the UK are not sufficiently carrying out their duty of care to customers who are vulnerable to fraud.

TLW Solicitors’ experienced scams and fraud team can help you take your complaint to your bank or FOS and even help if your initial FOS case was rejected.

Sarah Spruce, Legal Director and Head of the Scams and Fraud team at TLW Solicitors, commented:

“The combination of link shortening, convincing looking phishing websites, and number or email spoofing (when the scammer uses software to clone a genuine company or individual’s email address or phone number) means that scammers can very effectively disguise themselves in order to fool victims and get hold of their money. While consumers need to be aware of schemes like this to keep themselves safe, banks and financial institutions should also be keeping up to date with these ever-evolving fraud tactics and monitoring for any suspicious transactions that might come as a result.”