Scammers are going after Revolut customers with phishing texts designed to steal their data as well as Google ads listing fake phone numbers.
Which? first reported a malicious Revolut ad in March, but this attack has recently resurfaced, leading to one victim losing almost £8,000.
Here, we reveal the warning signs to look out for.
Last week, five people got in touch with Which? after receiving text messages apparently from Revolut. Most said 'your account has been temporarily locked' before inviting them to click on a link to update their photo ID.
Other messages referred to authentication codes and asked recipients to visit a web page if they 'did not request this code'.
All five recipients told us they have accounts with Revolut.
In one text - the first image shown below - the phone number of the sender was '11111' and the link appeared to be a genuine Revolut URL https://revolut.help, although the real web address was disguised.
Anyone who clicked on that link was taken to https://revoiut.help (with an 'i' instead of an 'l'). This site was registered on 18 May 2020. We reported it to both Revolut and the domain registrar Namecheap.com, which suspended it immediately.
Another text appeared to point to revolut-supportgb.co, but the real web address was also disguised. This one was particularly convincing because it was saved within an existing conversation chain with Revolut (see second image, below).
Fortunately, the people we heard from all did the right thing - they checked their Revolut apps or contacted the digital bank using a trusted method to confirm if the texts were real.
Others may not have been so careful.
If you bank with Revolut, watch out for similar texts and never click on links within messages.
Instead, contact Revolut via the in-app chat function or email it at firstname.lastname@example.org - it must respond within 15 days for complaints related to payments and electronic money (or up to eight weeks for most other complaints).
He received an email from the challenger bank asking him to resubmit his ID because it had expired. Aware that these emails can be dangerous, he searched for a Revolut number on Google and called the number provided to confirm its authenticity.
The person he spoke to said he could confirm his identity digitally there and then. Confident that he had called the right number and was speaking to a Revolut adviser, he was transferred to a manager called Brian Baker and told to download a called TeamViewer QuickSupport.
This tool gave them access to his mobile phone, on the understanding that they needed to verify his account transfer limits using a dummy account within his Revolut app. Ultimately, the scammers transferred a total of £7,938 out of his account.
We advised the victim to ask for these unauthorised transactions to be refunded. After investigating the incident, Revolut has reimbursed him in full.
Which? is concerned that there have been at least two incidents of scam Google ads targeting Revolut users in such a short period of time.
We've asked Google if the latest ad has been been removed and whether it has proactively checked for similar scam ads trying to trick Revolut users. It has not yet responded to our questions.
We have also suggested to Revolut that it should warn customers about the dangers of these specific attacks.
A spokesperson for Revolut told us: 'Revolut takes the protection of all our customers extremely seriously. We are fully aware of the industry-wide risk of customers being duped by organised criminals. Our sophisticated and comprehensive anti-fraud systems have a very strong track record of preventing and reporting fraudulent transactions.
'To ensure our customers are alert to the risk of fraud, we regularly send alerts and general security advice via in-app notifications, email, social media and our blog. We know how stressful these situations can be for customers and do everything possible to help victims of fraud retrieve their funds.'
Remember, Revolut will never ask you to share your login details, one-time password or ask you to install anything on your phone. If someone claims to be from Revolut over the phone, ask them to send you an in-app message to confirm that they are a real agent.