Scammers are targeting us with text messages pretending to be from motorway toll operator, eFlow. A series of widely-circulated smishing scam texts tells people they owe toll charges, and directs them to click on a link within the text message to pay the outstanding balance.
But the website is not genuine and aims to collect the victim’s bank account details.
Some examples of the kinds of texts that people have seen in the last two months: "eFlow: You haven’t paid your charges. Visit eflow-toll-paymentsupdate.com or an additional fine will be sent to your home address."
Another: "Eflow — As of the 11th, your toll bill is very overdue. To avoid being blacklisted, please process as soon as possible: https://ie.eflow.life"
One more: "eFlow: You have been recorded using the motorway without paying the appropriate charge(s) of 6.40. Visit https://eflowsecure-online.com or an additional fine of 97.50 will be sent to your home address."
There are many other variations of the same thing, but the core idea is the same. Once you get to the site — which usually looks very like the real site — you’ll be invited to enter your bank details and pay the "fine". When you do, you have not only paid scammers, you have also given them your bank details.
According to Bank of Ireland, as many as 10 new fake eFlow sites are being set up by fraudsters every day.
Head of fraud at Bank of Ireland Nicola Sadlier points out that smishing attacks tend to come in waves, and that in the recent past, the bank has seen fraudulent messages appearing to be from delivery services, utility companies, Government agencies and banks.
“But this latest attack, with fraudsters sending messages purporting to come from eFlow, has lasted now for several months, which is unusual. Based on intelligence we have received, we are also expecting fraudsters to ramp up activity, cloning other well-known Irish brands in the coming months, particularly electricity and gas companies.”
She points out too how easy it is to be caught out by a scam of this nature.
“If people recently passed through a toll, they might be more inclined to click on the text message thinking it is legitimate. eFlow has advised that they do not send text messages with links to confirm account or payment details.
So how can you tell if a text is genuine or fraudulent?
The Competition and Consumer Protection Commission (CCPC) says that there are certain signs you should be alert for. A typical smishing text message will try to alarm you, claiming you need to take urgent action in order to avoid negative consequences.
For example, you might receive a text message appearing to be from your bank telling you your bank card, account, or online access has been blocked or frozen due to "unusual activity" or fraudulent transactions.
You will be asked to click on a link in the text bringing you to a fake website. Scammers can create very professional-looking fake websites that imitate real websites. Once directed to this fake website, you’ll be asked to enter your personal information and bank account details.
The CCPC advises consumers to never click on a link within a text, or call a number you are asked to call from a text. Always call businesses on phone numbers that you know to be genuine.
For example, the genuine phone number of your bank is printed on your bank card.
If you receive a text message you suspect may be a scam, delete it immediately. If you’re unsure, contact the organisation named to see if the text is genuine. Remember not to use the contact details supplied to you by the texter, as these may be fake.
If you have responded to a smishing text message and given your bank account details, notify your bank or card issuer immediately. Your account can be placed on hold and card cancelled if necessary. You should also report it to your local Garda station.
According to FraudSMART, the fraud awareness initiative led by Banking & Payments Federation Ireland (BPFI), fraudsters stole nearly €45m through frauds and scams in the second half of 2021 — the latest year for which figures are available. That’s a jump of 50% on the same period the year before.
Debit and credit card fraud (including ATM fraud) hit €14.5m, up 18.5%, the highest levels since the first half of 2017. Most of the increase was driven by online card fraud or ‘card not present’, where a fraudster uses the victim’s compromised card information to make an online purchase. However, 2021 also saw payment card fraud at ‘point of sale’ or in-store return to pre-covid levels.
The report also highlights the soaring value of unauthorised electronic payment (credit transfer and direct debit) fraud to €21.5m. This reflects a sharp increase in online and mobile banking fraud. This type of fraud happens when a payment is made by another person without the account holder’s authorisation or permission, and usually results from the loss, theft or misappropriation of sensitive payment data (such as account numbers and PINs).
Additionally, the report shows how consumers were scammed out of €7.6m through authorised push payments, down 4.4% year on year. This type of fraud takes place when a victim is duped into transferring money from their account to a fraudster’s account such as through romance or investment scams.
Head of financial crime at BPFI Niamh Davenport points out that fraudsters are continuously updating and adapting their tactics and tools.
“As well as scam texts, phone calls and emails, scammers have developed a range of techniques to convince online users to disclose key personal or financial information. While banks are using a range of measures such as encryption and continuous fraud monitoring to protect their customers and ensure everyday payments can be made securely, fraudsters are increasingly targeting businesses and consumers directly, so it is important for us all to know how to protect ourselves.”
“With a jump of almost 46% in debit card fraud losses alone, we are calling on all consumers to pause for thought before parting with their money or information and familiarise themselves with some of the very straight forward steps they can take to protect themselves.”
Again, be very wary of sudden calls from banks, agencies or companies seeking to verify details, and if anyone sends you a link, think twice before clicking and ask yourself, ‘Is this safe?’