Current phishing wave: fraud with Magenta loyalty points

A perfidious wave of phishing is currently flooding fraudulent e-mails into the inboxes of Telekom customers in particular. They are visually very convincing, the texts are also largely correct and at first glance there are no major errors.

At first glance, the e-mails look very convincing. A t-online.de e-mail address is given as the sender, which on closer inspection turns out to be an end customer address instead of a company address. The look is a very convincing imitation of the Telekom Magenta brand.

The subject lines of the phishing emails read "🎁 Your points: almost lost 🎅 Ref:7878268". In the text, the fraudsters try to lure victims by claiming that they have collected Magenta loyalty points that will expire shortly. They can supposedly exchange these for "a gift". The email text is embedded as a graphic; potential victims are only addressed impersonally.

Social engineering: pressure through expiring points

To build up pressure, the masterminds behind the scam set a short deadline: these points would expire by December 31. "After this date, your points balance will automatically be reset to zero, even if the points have not been redeemed. In order to benefit from the points you have collected, we invite you to exchange them for a gift from our rewards list in good time," the perpetrators claim in the email.

The graphics in the email initially link to a completely different domain. However, this is usually not even recognizable in mobile email clients on smartphones. The target address then redirects to a somewhat more realistic-looking URL: magentamoments-besonderenvorteilen[.]com could be a genuine campaign landing page. Unfortunately, it is not uncommon for companies not to use their actual main domain for marketing campaigns – in this case that would be telekom.de, magenta.de or t-online.de –, thus depriving Internet users of this verification option.

On the phishing page, high-value prizes such as an iPhone 16 Pro or a current Thermomix with a low additional payment are tempting; a popular soundbar or a food processor from Silvercrest, for example, are available directly for the points score, although the number of points displayed should not be sufficient for this. The fact that the supposed prizes are worth more than three times as much for around ten percent more points may be noticed by attentive interested parties.

Anyone wishing to redeem a prize is taken to another domain where, in addition to address details, payment information is requested. As there is no explanation as to why a small amount would have to be paid for a prize that is actually free, potential victims may be deterred from entering their details. Particularly perfidious: Anyone who initiates a money transaction here actually expects to be debited and will not object to it. It remains unclear whether only the specified amount will be debited or whether the fraudsters are trying to empty the account. The form also only asks for credit card details, although other means of payment are supposedly possible.

The fraudsters send the phishing mails specifically to t-online mailboxes. As Telekom is the largest telecommunications provider in Germany, they reach a large part of the population. It is also likely that they know the Magenta brand and could potentially receive points in a bonus system for payments made – the criminal masterminds at least get their foot in the door. The domain and address errors are usually not immediately recognizable, especially on smartphones with their email clients. However, this is clearly fraudulent phishing and recipients of these emails should simply delete them.

(dmk)