Tesco ‘free 4K TV’ phishing scam targets UK shoppers

Tesco scam

A new email phishing scam, falsely purporting to be from leading UK supermarket Tesco, is being used to steal confidential data and payment details from consumers.

The scam, which uses a fake Facebook page as well as SMS and email communication to trick UK consumers into handing over their details was uncovered by Griffin Law, a leading litigation practice.

The fraud began with a fake Facebook page, entitled ‘Tesco UK’, using official branding. The page shared images purporting to be from a Tesco warehouse, displaying packed boxes of Samsung 55” Ultra High Definition televisions, which can be worth up to £500.

The accompanying message said: “We have around 500 TV’s in our warehouse that are about to be binned as they have slight damage and can’t be sold. However, all of them are in fully working condition, we thought instead of binning them we’d give them away free to 500 people who have shared and commented on this post by July 18th.”

Unsuspecting users then enthusiastically shared the post, hoping to qualify for a free television, inadvertently spreading the scam. One user wrote on Facebook, “I’d love to, thank you Tesco!” whilst another questioned the authenticity of the site.

Hours later, users reported receiving a sophisticated email scam, again using Tesco branding and offering them the chance to ‘claim their prize’.

The email reads:

“Hey [Victim’s name]! Thank you for entering our competition to win a new TV. You’ve won, congratulations! Please click ‘Claim TV’ to get your TV. We hope you enjoy it!

A button in the email directs the users to a landing page where they can enter their name, home address, telephone number and bank account details.

Griffin Law’s research team has already established that at least 100 consumers have reacted to the Facebook page or received an email. The original fake Tesco Facebook page is now listed as ‘Content unavailable.’

Andy Heather, VP, Centrify, comments: “The Covid-19 outbreak has triggered a sharp rise in homeworking and created an environment ripe for opportunistic hackers seeking to steal usernames, passwords and data from weary workers during lockdown. With millions of people using their work email accounts on both work-issued and personal devices, these kinds of phishing scams pose a huge risk if hackers can successfully parlay these efforts into obtaining confidential company information.

Without the necessary security systems in place, a single hacker with stolen log-in credentials could wreak havoc by getting inside a corporate network, elevating their privileges, raiding company data, and escaping unnoticed. It’s therefore essential that businesses can verify employee credentials are being used by the valid user, such as by issuing a multi-factor authentication challenge by SMS or biometric scan, to ensure they are who they say they are, at all times.”

Tim Sadler, CEO, Tessian, comments: “As the lines between people in our ‘known’ network and our ‘unknown’ networks blur on social media feeds and in our inboxes, it becomes incredibly difficult to know who you can and can’t trust. Hackers prey on this, impersonating a trusted brand or person to convince you into complying with their malicious request and they will also prey on people’s vulnerabilities. They know people are struggling financially during this pandemic, so the offer of a free TV could be very attractive. But as the saying goes, if it looks too good to be true… it probably is! Question the legitimacy of these messages and always verify the request or offer before clicking on the link.”