For the past few months, malicious text messages inviting their recipients to renew their Vitale card have abounded on smartphones. Calls from bogus bank advisers complete the scam. Beware of this fearsome trap.
This is a classic phishing technique (or “phishing”, namely the theft of personal data), like the hundreds that constantly nestle in our mailboxes or our smartphones. But the scale of this Vitale card fraud is anything but ordinary. “She has been in the top 3 of phishing since December 2021. She has not dethroned the fraudulent child pornography emailbut it is not far behind”, notes Jean-Jacques Latour, head of cybersecurity expertise for the government’s Cybermalveillance platform. A worrying record, when we know that the portal currently lists 1,000 consultations per day concerning this scam at the minors’ brigade.
The many testimonials identified by our services or our local associations also attest to a prolific phenomenon.
How does this umpteenth trap aiming to extract not only personal information but also money from you work? You receive a message on your smartphone indicating that your new Vitale card is available. Supposedly in order to retrieve it, a link takes you to a first page, then a second, a third… in which you are invited to enter your data (name, address, date of birth, Social Security number, etc.) . These pages usurp the visual identity of health insurance, and have URLs more or less similar to the original (aide-ameli.fr, publicvitalev3.com, etc.). After this step, the scenarios differ.
First possibility: the Internet journey stops there, you are the victim of a theft of personal information, intended to be resold.
Second subterfuge: a pseudo-bank adviser, after collecting this first loot, calls you when your branch is closed, to tell you that your bank card has been hacked and that you must send the codes you receive by SMS to block payments in progress. Communicating the codes causes the opposite, namely the validation of fraudulent online purchases that the scammer is making.
Third attack that we have been able to identify: you land on a final payment request page, for the delivery costs of the Vitale card. After entering your bank details, you enter a code sent by SMS by your bank… and realize too late that you have just been robbed of a large sum, on behalf of a known brand (Boulanger, Darty, Leroy Merlin…) . This stratagem operates thanks to the real-time looting of data entered online.
Banks don’t want to refund
This third mode of operation was more prevalent before the current wave, with a bait in the form of an e-mail, also claiming the renewal of the Vitale card. Mr. C. was a victim of this, he had €1,518.99 stolen (purchase of a smartphone from Darty). Today in contact with the UFC-Que Choisir of Clermont-Ferrand to resolve his dispute, he continues to come up against the refusal of reimbursement by his Crédit Agricole agency. When he realized the deception, the day after the scam, he contacted his banker, then Darty to block the purchase procedure; he made a report on the Perceval platform and filed a complaint with the police. No solution was provided, the purchase was validated and Mr. C. was not recredited with the amount lost. “Despite 35 years of loyalty, [ma banque] can’t do anything for me, no compensation […]whereas they are part of the actors of this transaction and that at the time of the facts, they had more elements than me on the beneficiary and the references of the banking movement “underlines this man in his file filed with the local Auvergne association. “I objected within 10 minutes but 4 days later, the amount was debited under the name of Leroy Merlin! The bank does not want to refund me anything because I made the code sent by SMS”testifies another consumer abused in the same way.
The establishments, to justify the refusal to pay back the stolen money, generally indicate to the victims that they have been negligent, opposing them in particular for having transmitted their personal data. However, the scam in question is very fine, and the fraudulent content very similar to that of the organizations mentioned. In addition, the legislation obliges banks to reimburse unauthorized payments as soon as they have not been validated by double authentication (in these examples, it is a 3D Secure system).
The SMS acclaimed by scammers
Today, the process of calling a bogus bank advisor dominates. The scam starts with a malicious text message, which includes a link to a fake health insurance site. This message is sent en masse, to thousands of people. “Since the end of December 2021, we have witnessed a real upsurge that does not stop. Several dozen fake sites are reported every day, to us or to health insurance. Currently, 90% of messages [frauduleux] come from SMS », explains Jean-Jacques Latour. This expert specifies that SMS are preferred by scammers because the information concerning the sites on which the victims go is more difficult to identify on a smartphone than on a computer. In addition, receiving an SMS is more reassuring for consumers than receiving an e-mail. But a hacker can access both a phone number and an email address.
Let’s also mention one of the cornerstones of this formidable trap: spoofing (the caller’s number that appears on your screen is not the real one). When a bogus adviser calls you displaying your agency’s number, it becomes very difficult to detect the scam. However, here again, consumers are very often faced with the refusal of reimbursement by their banks.
Never transmit personal information before verifying the veracity of a message. In this example, contact the health insurance to find out if the information received is authentic. They will answer you in particular that updating the Vitale card is never done online.
If you have been trapped, file a complaint with the gendarmerie. This is a prerequisite for being reimbursed by the bank. In addition, in the event of numerous complaints, an investigation may be triggered.
Report the scam of which you have been the victim on the Cybermalveillance portal, which provides advice on the reflexes to adopt and the steps to take. You can also file a report on the Perceval platform and file a complaint on the new Thésée tool.