An "instant bank fraud" social media hoax has recently reappeared in the UK. There doesn't seem to be any particular nefarious plan behind it. The only discernible purpose of the hoax is to scare people and waste their time. The message has been spreading through social media and texts. As is customary for hoaxes, the people behind it try to feign legitimacy by appealing to authority. In this case, they are referencing the London police's Twitter account. This move backfired in a way as the City of London police addressed the hoax almost immediately.
The content of this message is false. pic.twitter.com/eLVM4tnYEi
— Action Fraud (@actionfrauduk) November 10, 2020
As stated in the tweet, this isn't the first time a hoax like this is spreading. A very similar message was making the rounds back in March. The claims made back then were just as untrue as they are now.
There is, however, a smishing (phishing through SMS) campaign that probably sparked the idea for the hoax. Researchers from Sophos noticed the campaign and went through several reasons why the "instant bank fraud" is a hoax. The smishing campaign uses messages disguised as notifications from mobile carriers for problems with the recipient's last payment. Reportedly, they look legitimate except for the second part of the URL.
"(O2): We haven't received your recent bill payment, please update your details at https://o2.uk.xxxxxxx.com/?o2=2 to avoid additional fees"
Sophos researchers stated that the link leads to a fake page made to look like a legitimate sign-in page for the corresponding provider. Anyone who followed the link and entered their real username and password has sent their credentials to the criminals running the smishing campaign. Even in such cases, the victims have only given away their credentials for the carrier's website. Unless the potential victims are using the same password for multiple accounts, including critical ones such as banking, there is no danger of their bank accounts being drained or even accessed by the criminals. Still, the consequences of such gross mismanagement of accounts and passwords can be dire.
Even the worst-case scenario for the recipients of a smishing text doesn't come close to the hoax message claims. There is no danger for those who just viewed the message, even if they didn't delete it afterward. If someone opened the text and followed the link but did not enter their credentials, the most the criminals can get out of it is knowing the person opened the page.
Even though there is no "instant bank fraud," everyone should try to use best practices when managing their accounts. Using the same password for multiple accounts is not recommended. Neither is entering one's credentials on websites they have reached through a link provided in a text or an email. Everyone should use 2FA (two factor authentication) whenever possible. Spreading false information about non-existent threats is not a best practice.