Trust scammers to come up with different ways of taking your money. It must be a day ending with “y”, or even the lead up to a big event taking place worldwide, because that’s exactly what scammers have been up to.
While the end of financial year will almost definitely lead to an influx of tax and MyGov scams in the next month or so, before that happens, there’s a big football festival you might have heard about taking place.
Cybercriminals sure have, with research from at security specialists Bitdefender finding that scammers have been targeting soccer fans with fake everything in an effort to increase thievery ahead of and during the FIFA World Cup set to occur in the US.
The scams are taking place across social media, largely targeting Meta platforms including Facebook and Instagram, with more than 55 football-related scam ad campaigns focused on Australians, as well as fans from other parts of the world, including the UK, US, Canada, Mexico, Portugal, Spain, Germany, and Belgium.
In short, places where football is a big deal are being targeted as part of a major scam ad system, promoting fake merchandise and boosting phishing pages, many of which cover ghost stores, fake storefronts, and fraudulent giveaway scams designed to simply take details and impart nothing in return.
It’s a relatively recent concept called “malvertising”, and it’s picking up speed.
How do the World Cup malvertising scams work?
This approach of using advertising to ensnare victims is called “malvertising” because it’s malware posing as advertising, or scams underlying advertising efforts.
The ads look real, but the links are anything but, and most people would be none the wiser looking at it.
It’s not a new concept, though, frustrating as it is. Criminals have been using dodgy ads for years, many of which use the guise of celebrities to sell health-related goods that don’t do what’s advertised, all while the victims vent frustration at the face.
In these examples, criminals are using advertising on Facebook to get their message through, something Meta has previously said it proactively tries to fix, yet still makes money from all the same. The scam ads have been a problem for the social network, which popped up earlier this year in the form of investment scam ads seen around the world.
With the World Cup malvertising scams, the ads cover so-called “official” FIFA merchandise, limited edition collectibles, streaming services, sticker packs and albums, and ticket offers, many of which run with realistic imagery likely made with AI and designed to blend right in with everything else in your feed.
But the links for those ads head to phishing sites and online shopfronts either intentionally fake or something more like a ghost store, all designed to collect payment details and personal information, and leave you feeling a little poorer all the same.
Parents were also targeted with football kits for children part of the campaigns, while giveaway scams formed a critical aspect of the scams, with emails not unlike the Nigerian prince scam suggesting people had won big from draws.
If you’re wondering just where that World Cup merchandise you ordered weeks ago from a link on Facebook is, the answer is it could be nowhere. Your details, on the other hand, may well be in the pocket of a scammer.
How do you stay on the defensive against malvertising campaigns?
While there’s no such thing as a free lunch, scammers playing these games have hoped to get past the skeptics by impersonating FIFA’s divisions, with official names like “FIFA Legal and Compliance Division” sitting in the emails and sites, complete with reference numbers, ticket IDs, and so-called “confidential” PIN codes.
Yet like most scams, the website address isn’t going to come from the real place, which is your first sign that something is wrong.
Scammers won’t be running this on the FIFA site, or even any legitimate merchandising site. But if you open the link from within Facebook’s own browser, you might miss the signs. It’s definitely easier to get lost this way.
Instead, if you’ve found your way to a link like this, open it up inside your browser and look at the URL. Study it. Scrutinise it.
Remember that like dodgy emails, scammers can’t just use the website from the real company, so they’ll often use something outlandish or something that sounds legit.
Ghost stores can be a little more difficult to gauge, largely because they appear real and may even send you something like what you ordered.
Ultimately, if you don’t know the name, consider looking it up online with the word “reviews”, and looking for actual reviews by people. And if something seems too good to be true, it probably is.
For most people, using your best judgement will be the requirement to get through these campaigns, because it’s doubtful Meta will stop taking money from these ad campaigns, at least in the short term.
And that means it’s down to you: if you accidentally click your way into one of these, look at those websites carefully and decide whether you want to hand over your personal information, and bank or card details to a website and store that seems too good to be true.
If the answer is your identity and wallet are better without testing it, you know what to do: close it down and report the ad. And then report the scam to Scamwatch, which can help other people later on, as well.
