Week 28: TWINT – isolated cases of phishing and fraud

18.07.2023 - The uncomplicated payment service TWINT is also attractive for fraudsters. No fewer than three different approaches using TWINT with criminal intent were reported to the NCSC last week. In addition to phishing attempts that pretend to be from TWINT, there are also fraudulent classified ad offers.

It has often been reported that the Swiss market is also attractive for cybercriminals and that they adapt their methods to Switzerland's specific characteristics. Three examples reported to the NCSC last week in connection with the TWINT payment system, which is known to be used only in Switzerland, were striking.

Phishing attempt

A report on a phishing attempt involving the misuse of the TWINT logo attracted particular attention at the NCSC because the link did not seem to work unless the phishing email was opened on a smartphone. It soon became apparent that the message was seemingly sent from a smartphone and that the cybercriminals check which device is used to open the link. If the link is accessed on a smartphone, a web page appears claiming that TWINT needs the information to verify the TWINT account.

Fraudulent phishing email in which TWINT is spoofed as the sender. Typically, these emails threaten that it is necessary to react IMMEDIATELY. The link leads to the phishing website.
Fraudulent phishing email in which TWINT is spoofed as the sender. Typically, these emails threaten that it is necessary to react IMMEDIATELY. The link leads to the phishing website.

But why does the link work only on smartphones?

When surfing the internet, your browser continuously informs websites about its display capabilities, including the operating system and browser used. It is possible to get the browser to provide any information, including whether a smartphone browser is used on a smartphone.
In the case mentioned, the phishing link only worked on smartphones. By restricting it to smartphones, the cybercriminals hope to escape analysis and having the phishing website blocked.

Fraudulent phishing page in which TWINT is spoofed as the sender. Left: A pretext to obtain credit card details and right: actual credit card phishing.
Fraudulent phishing page in which TWINT is spoofed as the sender. Left: A pretext to obtain credit card details and right: actual credit card phishing.

Classified ad fraud

In particular in connection with classified ads, cases are repeatedly reported to the NCSC in which users fall victim to fraudulent offers. One approach is for the fraudsters to order gift vouchers for a certain amount from a legitimate online retailer and select the TWINT payment option at the checkout. At the same time, they publish a classified ad for a random item for exactly this amount.

Outlined in red is the payment code of the online merchant, which is used to pay for the online gift cards and not, as the fraudsters pretend, to pay for the rattan garden lounge.
Outlined in red is the payment code of the online merchant, which is used to pay for the online gift cards and not, as the fraudsters pretend, to pay for the rattan garden lounge.

Use of money mules

A third scam involves someone being recruited by fraudsters to accept or forward funds via TWINT or other payment methods. This is done by so-called money mules and is punishable by law. Money mules are often recruited through fake job offers and are not aware of their illegal activity.

In a recent case, the fraudsters pretended to want to sell an expensive graphics card relatively cheaply via a classified ad. In this case, the buyer transferred the amount to the phone number given by the fraudsters, which belongs to a money mule.

On the left, the original purchase of the graphics card with the money mule's telephone number highlighted in red. On the right, reasons are given for the increase in the sales price and the new TWINT recipient.ird die Erhöhung des Verkaufspreises und der Wechsle des TWINT-Empfängers begründet.
On the left, the original purchase of the graphics card with the money mule's telephone number highlighted in red. On the right, reasons are given for the increase in the sales price and the new TWINT recipient.

The next day, the fraudsters tried to charge the buyer an additional amount. However, since the money mule was apparently no longer available after the first payment, they had to invent a plausible story to convince the victim to change the recipient's phone number.

Transactions to a mobile phone number are only for transfers between private individuals. Commercial traders all offer a QR or payment code to make a transfer. Conversely, private individuals never offer a QR or payment code for transfers.

Unfortunately, most reported incidents are successful for the fraudsters. To protect yourself from such scams, please keep the following points in mind:

  • Be vigilant every time you make a payment and check the details before you initiate the payment.
  • Set limits for all payment methods based on your budget and the security level of the payment method in question. This is especially true for payment methods that you use online (via the internet) and for contactless payments.
  • Use two-step approval for payments if this is available.
  • If possible, use different payment methods online and offline, e.g. different credit cards with a low limit for online use.
  • Be careful when interacting with unknown people on online platforms.
  • Only commercial traders who are officially registered with TWINT offer a QR or payment code. Therefore, exercise caution if a private individual proposes payment via QR code. Do not allow yourself to be put under pressure.
  • Never use QR codes that have been sent to you by untrustworthy sources.
  • Never use five-digit payment codes that sellers on selling platforms such as Facebook Marketplace, tutti.ch, etc. send you.
  • No bank or credit card company will ever send you an email requesting that you change your password or verify your credit card details.
  • Never divulge personal data such as passwords or credit card details on a website that you accessed by clicking on a link in an email or text message.
  • Bear in mind that email and text message sender IDs can easily be spoofed.
  • Be sceptical if you receive emails that require action on your part and that carry a threat of consequences (loss of money, criminal charges or criminal proceedings, blocking of an account or card, missed chance, misfortune) if you do not do what is required.

Last modification 18.07.2023

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/aktuell/im-fokus/2023/wochenrueckblick_28.html