Those eager to get their hands on a PlayStation 5 are being warned about a fraudulent promotion that steals people’s sensitive data.
Researchers at Kaspersky spotted the bogus email, which offers recipients the chance to win a console if they supply their personal and financial details.
The scam is particularly dangerous, because it has been almost impossible to purchase a PlayStation 5 since the console’s release, due to supply shortages and delays caused by COVID-19.
Those who receive the message may therefore ignore red flags or persuade themselves that it’s worth the risk.
However, as with all offers that seem too good to be true, it’s worth taking the time to check its authenticity.
How the scam works
The first stage of the attack is an email from a company called India Pharma advertising a PlayStation 5 giveaway.
The message contains a large graphic that could easily be mistaken for a genuine campaign. It’s free of obvious spelling mistakes, comes complete with small print and has almost no risks; to enter, you only need to provide your email address.
However, if you look closely, there are clear signs that this is a phishing email.
There are typos (“Be the first to play [the] PS5” and an improperly styled “Playstation”), the small print lists the closing date as 31 December 2020, and the company supposedly running the promotion, India Pharma, seems an unlikely to be offering such a deal.
If you fail to spot those warnings and register for the contest, you are directed to a website that says you are one of ten lucky visitors who can win the prize – but you must act within the next 78 seconds.
This is another clear sign of a phishing scam. Attackers force people to act quickly to reduce the chances that they’ll research the validity of the message or ask others for advice.
If you go ahead, you’re asked to complete a short survey, after which you have to pick one of three virtual gift packages for the chance to win your prize.
No matter which one you pick, you are told you’ve won – but again, there are further steps.
You are told to pay a small fee to cover the cost of postage (although the fee is a fraction of what it would actually cost to ship a PS5), and to provide your address, phone number and email address.
Finally, the attackers ask for your credit card details, including the expiration date and CVV number.
The scammers give no reason why they need this information, but it’s a classic example of the sunk cost fallacy.
At each stage, the recipient is led to believe that they are closer to their prize and are asked to hand over just a little more information. By the time they’re asked to hand over their financial details, many people will have convinced themselves that they can’t come this far only to back out now.
How to spot a scam email
If you’re worried about scams such as these, Kaspersky suggests that you check for information about giveaways and promotions on the organiser’s website. If you can’t tell who is running the promotion, that is probably enough of a sign that it’s a scam.
It also warns about contests that ask for you to pay a fee – even if it’s small. The attackers might be using the pretence of a payment to capture your card details.
You can find more tips and advice about phishing on our blog: