Phishing Email?

I had an email the other day allegedly from Monzo, it had @monzomail as the sender and looked legit. Stupidly, I clicked the link and it launched the app and it asked for my PIN. Later realising what I had potentially done I withdrew all accessible funds from the account and have now changed my PIN.

Is it now safe to replace the funds and start using the account again or do I need to do more?

1 Like

I think monzomail.com is a legit domain

Or is it monzoemail?

Edit: no, it should be monzomail (see the link above)

They really need to sort this out and identify legitimate emails somehow

1 Like

They also have monzoemail.com too

I think the “official” emails you should expect emails from are:

monzomail.com, monzoemail.com, monzo.com

and potentially monzo.intercom-mail.com

I’m not sure if the latter still exists but yeah. Lots of very similar emails.

The email it came from was:

auth+sCEsq61JWImb@monzomail.com

If the link you clicked launched the app then you’re good.

It’s when emails take you to a webpage or ask you to do things like move your money that should cause alarm bells to ring.

This… this is awful

2 Likes

It’s really really poor of Monzo to train their customers to fall for phishing scams!

unless, of course, they get some kickback from the scammers for the training they provide, in which case its all good - just another avenue on the way to profitability :+1:

2 Likes

Were you attempting to login at the time when the email arrived?

What was the email subject?

That email logs you into your account, did you try logging in before you got that email?

If not , either you should have got a scam call to try convince you to forward the email to them so they can login to your account, or they already have access to your emails and were about to click on it themselves, so I would change your email password as soon as possible, and review the security part of your account for new / suspicious logins.

If the email was a few days ago and you’ve had no new ones then there’s probably no one in your email account, as they would have requested a new login email by now.

3 Likes

It’s also interesting seeing the:

don’t forward this (even to us)

in their email, given most banks and large organisations tend to have a “phishing@” email where you can send these emails to and they can confirm if it is or isn’t from them.

I’m all for the magic links, but there is certianly a bit of tidying up that could make all this a more consistent / clean consumer experience,

I think they need to redesign the email system such as adding security that confirms it’s your bank such as your full name and postcode and last 4 digits of your phone number like PayPal tends to do and a few highstreet banks

I received a email from monzo the other day, it was a legit one but it didn’t even say my name on it, just hello :man_facepalming:

Thing is, this information isn’t hard to get hold of and pretend to be a bank. Facebook leaked a tonne of this info recently so you don’t exactly have to look hard for it either.

They should just do away with email completely. Secure the login process so the magic link isn’t needed and then say to the customers

WE WILL NEVER EMAIL YOU AND WE WILL NEVER CONTACT YOU BY PHONE.

If the only communication is via the app along with notifications for things such as statements ready and all the other payment notifications it would make the whole process significantly less susceptable to fraud.

Something I never understood about Starlings process is the customer service PIN. If they call you, they ask you for the PIN when it clearly should be the otherway round.

Banks could make their life significantly easier if they just restricted outbound communications to their respective apps and all voice communication was from the outside in.

If your Uber Driver calls you he doesn’t know your number, his call is routed through Uber. Equally if you call your Uber driver you are connected to the their system and then the driver. The same could apply to banks. If Monzo wanted to get in touch with you by phone they could notify you in app to call a specific number at a specifc time.

3 Likes

I definitely think there’s value in having some kind of 2FA when it comes to contacting customer services, in either direction.

Maybe something that’s not PIN-like (so it doesn’t get confused). Apple have a great system where you get a pop up to verify you’re the account holder / phone holder.

3 Likes

I just got a push notification for a survey, came through the usual chat channel.

This is so so so much better. No clicking links, no worrying that it’s not from Monzo.

3 Likes

I have just had it confirmed that the original email was indeed from Monzo so panic over.

Thanks everyone who took the time to reply.

2 Likes

Thanks for the update – good to hear it’s all solved now

What @kolok says still stands though – did you try to log in at that time/on that day? If not, someone might be trying to take your account over and you need to change passwords ASAP

4 Likes

What was your method here? Did you cancel all your pots? Do you have an overdraft facility? Not worried about your DDs or continuous payments? Just curious.

I just took all the money out of the pots into the main account and withdrew that. It was only for a couple of days and I knew I’d got no DD’s coming out. No overdraught facility so no worries there.