British Gas customers are reportedly being targeted with phishing emails that seem to have been sent by the company but contains malicious URLs that capture their British Gas login credentials.
The phishing campaign targeting British Gas customers gained unwanted attention when customers started complaining about having their accounts compromised on a fake website where they were redirected after clicking on a link accompanying an email purportedly sent by British Gas.
"Your bank has declined the latest direct debit payment. British Gas wants to inform you that your last payment of £27.98 GBP has been declined.
"Something’s gone wrong with your direct debit payments. Your bank has been declined the latest Direct Debit payment. If you don’t keep up with your payments, you risk becoming disconnected. Please follow the procedure and check your information by clicking the 'Check Details' button," read an email sent by the phishers and accessed by North Wales Live.
"We take the issue of phishing very seriously and will take action where we identify any attempts to trick our customers. If any of our customers are concerned about a suspect phishing email - such as this one - they can forward it to email@example.com so we can look into it further," a spokesperson from British Gas' parent company Centrica told North Wales Live.
Customers need to stop clicking on links within emails, say experts
Commenting on the emergence of the phishing scam targeting British Gas customers, Paul Norris, Senior Systems Engineer for EMEA at Tripwire, says that hackers are getting better at creating ways to trick users, and this attack on British Gas customers is evidence of that.
"Phishing campaigns are extremely popular and aim to dupe people into giving away personal and financial information, which is why individuals should be vigilant of the links and attachments sent to them. If you believe it could be suspicious then avoid interacting.
"However, malicious cyber criminals are preying on human naivety which is why these attacks continue to be used. Granted, it is becoming difficult to track malicious attackers as they are getting better at mimicking valid content from reputable organisations," he says.
"The best way people can help avoid future attacks is by educating themselves about the risks and consequences of clicking unknown links and attachments. Regardless of whether you believe the email to be legitimate or not, never click on inbuilt links.
"Always open your own web browser and log in to your account on the official website. If there is a legitimate requirement for you to update or re-enter information, it should be referenced within your specific account instance," he adds.
Javvad Malik, security awareness advocate at KnowBe4, says that it's important that people remain vigilant of emails from any company they deal with. Be it their energy provider, a television show subscription, or even their gym.
"If any email is ever received, the best thing to do is to navigate directly to the website, log in with your credentials, and check the customer status directly. If there are any issues it should be detailed there.
"While users need to be more aware and protect themselves in this manner, companies also have a responsibility of not sending through links in their emails, and remind customers on an ongoing basis as to what type of emails to expect from them, and that they will never ask for personal information via email," he adds.
Hackers most likely to impersonate big brands to dupe customers
Last year, a survey of 1,000 British consumers by security firm DomainTools revealed that phishing scams leveraging trusted brand names were able to dupe one in five British consumers. Of those who were duped, 20% said their computers were infected with a virus, 15% had their personal information stolen, and 6% were tricked into purchasing a fake product.
A similar survey carried out by DomainTools a year earlier revealed that the brands most likely to be leveraged for phishing scams included Amazon (88%), Argos (46%) and Tesco (35%) and that 24% of their customers had their computers infected with viruses, 20% had their credit card details or personal information stolen, and another 8% lost money on deals that never existed.
"The issue here reinforces that people will blindly click on links if they believe it has come from a trusted resource. People are trusting, and criminals take advantage of this by preying on their emotions and having massive success, mainly due to people not querying messages. It’s important that they stop and think before clicking," said Stephen Burke, Founder & CEO of Cyber Risk Aware.