No, Lidl is not offering its customers a kitchen robot for two euros: it is a phishing campaign
Phishing attacks do not go out of style. Entities like BBVA, Post Office, FedEx o la General direction of traffic have been spoofed on different occasions to mislead and scam users, and now it’s Lidl’s turn, which is being spoofed to redirect users to a fraudulent website.
According to the Civil Guard alerted and the OSI (Internet User Security Office), a phishing campaign which, with the excuse of offering a kitchen robot for two euros, leads users to a fake website, where must enter their personal and bank details. A full-blown scam.
There is no food processor, but there is a potential upset
The email detected by the OSI has as subject the text “Quote 02/19/2021: Recipient’s name”, although It is not ruled out that it may arrive in different formats. In addition, the mail is not sent from a company domain, but from a generic one, something that leads to suspicion from the first moment but that can be misleading.
In the body of the email it is explained that the client has a huge amount of loyalty points that will expire soonunless you trade them in for a food processor, one of Lidl’s most popular products (and involved in some controversy recently). This strategy is very typical in phishing scams: giving a sense of urgency to cause the user to make a hasty decision.
At the bottom of the text we find a button that says “Confirmation and continuation procedure” that redirects to a website that pretends to be a real promotion. It will ask us to give our personal data (including address, postal code, city, telephone and email) and, subsequently, our bank details (card number, expiration, holder, CVV) to pay two euros. If we do, the web will give an error, but those behind the web will have received the information that we have entered into it.
Is a manual phishing attack: a known entity is impersonated, an attempt is made to give it some credibility by using its corporate identity or by recreating a website similar to its own and the user is asked to enter a lot of personal data. When in doubt, it is advisable to distrust, confirm the information with the entity itself and, of course, not access any of the links or download attachments.
More information | OSI