In my email Inbox this week I received no less than four scam emails that pretended to be from supermarket chain, Tesco. The once grocery store is now so much more. From online sales of food and household items to home delivery to banking, Tesco is a major UK brand with over 3,400 stores and Tesco’s online shopping just keeps growing.
This brand awareness and wide reach to online customers make Tesco the perfect brand for the scammers to spoof.
All four of the Tesco scam emails had the same theme – an offer of free groceries! Woohoo! As we are being continuously threatened by price increases of our daily bread especially with the ongoing Brexit crisis, an email promising free food is very tempting.
Note, the free food vouchers were for Tesco bank customers only as this scam, ultimately, was about stealing bank login credentials.
Signs of the Scam
I received the four scam emails within the space of about an hour. This was enough to start my scam bells ringing – I’m sure Tesco would not be this unprofessional. But this alone is not enough. Other signs included:
Scammy looking email address:
Although the ‘from address’ was set to be viewed as “Tesco.com” when you expand it to see the full email address the truth was revealed. Inside the < > of each email ‘from address’, were a number of scam addresses, e.g., one showed firstname.lastname@example.org@tcro.com
The emails were not properly addressed to the recipient. If Tesco had sent this email out, they would have ensured the email addressed the person it was targeted at. Instead, the emails either began “Dear Customer” or had no salutation at all.
This was a pretty poorly executed scam. The emails themselves were totally unbranded with just a text sign off as Tesco PLC.
The Phishing Link
Of course, as with many of these scams, the trick is in the click. The scam email used the lure of free food to trick you into clicking the malicious phishing link. On doing so, a spoof site, which looked an awful lot like Tesco Bank, opened. The rouse was to get you to enter your login password. Of course, if you do so, your login credentials would be stolen by the scammer and your Tesco Bank account potentially compromised. Tesco bank does use two-factor authentication for login, which improves security. However, entering your password into any spoof site is a bad idea.
It is interesting that the email was about free food to get you to login to Tesco Bank. This hits at the very heart of human behaviour and the very basic instinct, to eat. Everyone loves the idea of free food treats.
If you receive an email from Tesco offering free food – remember there is no such thing as a free lunch.
Avoid clicking links in an email unless you are 100% certain you know who it is from. Even then, it is always best to manually type in the URL of the company into your browser, then log in.
You can send any Tesco related phishing emails to this address: email@example.com.
Why not help your colleagues stay safe and send them this little reminder. Feel free to edit, copy/paste the advice below:
The Tesco Scam
An email scam pretending to be from Tesco is being sent out to trick users into entering Tesco Bank login details. The email is offering free food vouchers. This is a scam and if you fall for it and enter your password it will be stolen by scammers.
You can advise Tesco about the scam by forwarding the email to: firstname.lastname@example.org.