Researchers reported that customers of UnionBank of the Philippines were targeted by an SMS phishing attack offering a Valentine's Day gift. Pictured: Valentine's Day balloons and flowers are sold outside a convenience store on Feb. 14, 2021, in New York City. (Photo by Cindy Ord/Getty Images)

Researchers reported on Monday that customers of UnionBank of the Philippines were the target of SMS phishing attacks offering a gift of $200 (10,000 Philippine pesos) as a Valentine’s Day treat for being a “loyal customer” of the bank.

Magni R. Sigurðsson, senior manager of detection technologies at Cyren, said the SMS victims were told that they would need to fill out a form to claim the money and then given a link to the so-called form. The link took the victim to the phony UnionBank phishing site where their credentials were stolen.

Sigurðsson had no specific information on how many accounts were hit and said the threat actors were “most likely” from the Philippines, but could not confirm that at this time.

“These kinds of attacks are tricking victims into thinking that their bank is giving them money — in this case $200 — and are often very successful," Sigurðsson said. “We are seeing this also more and more around cryptocurrency with so-called Bitcoin or Ethereum giveaways. Also, the fact that the attack is distributed via SMS text message can also make them more believable. We will see similar attacks, but the attackers will adjust or make changes to how they send out these attacks.”

Sigurðsson said the phishing campaign started on the morning of Feb. 3 and the SMS messages were sent out to victims for just over three hours. The URL to the phishing site went through two- to three-different redirections and was hosted on more than one domain, so the site was up for around 48 hours. The domain host took down the site.

It’s common for banks to continuously remind their customers that the bank will never ask for their password, said Dave Cundiff, vice president of member delivery at Cyvatar. Cundiff said in all communications about banking that if it’s not in-person at the bank or through an encrypted website, credentials or personal information should never be shared. 

“The more dangerous examples are not forms as often individuals mistrust simple forms, it’s spoofed websites that very closely match the bank’s actual website,” Cundiff said. “My recommendation is never to trust an SMS ‘sale or deal,’ but if it looks like a good offering, I would go to the website of the bank or store independent of the SMS message and if there’s a deal it will usually be listed on the account page or on my store page after I login. That’s always the safest manner of verifying the validity of SMS messages.”