Stay vigilant as fraudsters target both users and non-users with sophisticated schemes
In recent months, thousands of Australians and international users have reported receiving unexpected text messages claiming to be from Afterpay, the popular buy now, pay later service. These messages range from verification codes for accounts they never created to enticing offers of store credit worth thousands of dollars. As these scams become increasingly sophisticated, understanding how to identify and protect yourself from them is crucial.
Overview of the Unexpected Afterpay Verification Text Scams
A widespread incident occurred earlier this year when numerous individuals, including those who had never used Afterpay, received verification code text messages in the early morning hours. This peculiar event prompted concerned recipients to seek answers online, with many discovering they weren’t alone.
“I got a random verification text for Afterpay, a service I’ve never used before,” reported one Reddit user, whose post garnered hundreds of similar responses. The timing was particularly suspicious, with most messages arriving between 1-4 AM Australian time, suggesting a coordinated campaign.
Afterpay acknowledged the issue on their website, stating: “We have received reports of Afterpay users and non-users receiving unsolicited text messages. Unexpected text messages or emails can safely be ignored.”
Understanding Smishing Scams
These unexpected texts are part of a larger scam category known as “smishing” – a combination of SMS and phishing. Smishing involves scammers sending deceptive text messages to trick recipients into revealing personal information or financial details.
The Afterpay smishing scams typically come in two primary forms:
- Verification Code Texts: Seemingly random verification codes sent to individuals who never requested them
- Store Credit Offers: Messages claiming recipients have thousands of dollars in store credit waiting to be claimed
While the verification code texts might seem harmless since they don’t contain links, they serve several nefarious purposes:
- Testing which phone numbers are active
- Preparing for more targeted scams
- Causing confusion that might lead recipients to contact “customer service” numbers controlled by scammers
How the Scam Operates
The more dangerous variant involves texts offering substantial store credit. Here’s how this sophisticated scam typically unfolds:
- The Hook: Recipients receive a text claiming they have $4,000 AUD (approximately $2,500 USD) in store credit waiting to be claimed
- The Lure: The message includes a link to a website that appears to be affiliated with Afterpay (e.g., “afterpay-help.com”)
- The Trap: Upon visiting the site, victims are informed they need to verify their banking information to receive the credit
- The Theft: After selecting their bank from a dropdown menu, victims are directed to a convincing replica of their bank’s login page
- The Damage: Any credentials entered are immediately captured by scammers, who can then access bank accounts and drain funds
Security researchers who analyzed these scams using virtual machines found that some variants are sophisticated enough to attempt to bypass two-factor authentication.
Afterpay Text Message Patterns: Recognizing the Threat
Understanding the common patterns in these fraudulent messages can help you spot them before falling victim. Typical Afterpay scam texts often contain:
Content Characteristics
- Claims of substantial store credit (often $4,000 AUD)
- Urgent language suggesting imminent expiration
- Reference numbers to appear legitimate
- Links to non-official domains containing “afterpay” plus hyphens or additional words
Timing and Frequency
- Often sent during early morning hours when recipients are likely sleeping
- May arrive in waves, with multiple people receiving similar messages around the same time
- Sometimes followed up with additional messages if no response is received
Example Messages
Your 4,000 AUD instore Afterpay credit has yet to be claimed please head to afterpay-help.com with the reference below Ref # 100774979350
Your Afterpay verification code is: 335060
Red Flags: How to Identify Smishing Scams
Protecting yourself begins with recognizing the warning signs of fraudulent messages. Here are the key red flags to watch for:
1. Offers That Seem Too Good to Be True
Legitimate companies rarely offer substantial sums of money or credit without clear context. The $4,000 AUD store credit claim is designed to override your skepticism with excitement.
2. Suspicious Domain Names
Always scrutinize the URL in any link before clicking. Scammers often use domains that include the legitimate company’s name but add extra words or hyphens:
- Legitimate: afterpay.com
- Fraudulent: afterpay-help.com, afterpay-verify.com, afterpay-secure.net
3. Poor Grammar and Spelling
Professional companies have rigorous quality control for customer communications. Watch for:
- Run-on sentences without proper punctuation
- Awkward phrasing and grammatical errors
- Inconsistent capitalization or formatting
4. Urgency and Pressure Tactics
Scammers create artificial urgency to prevent you from thinking critically:
- “Expires soon” messaging
- Claims of account suspension if action isn’t taken
- Suggestions that others are claiming the offer ahead of you
5. Requests for Sensitive Information
Legitimate companies will never ask for:
- Full banking credentials via text message
- Credit card details in response to an unsolicited message
- Account passwords or full personal identification details
How to Protect Yourself from Afterpay Scams
Taking proactive steps can significantly reduce your risk of falling victim to these increasingly common scams:
Immediate Actions for Suspicious Messages
- Do not click on links in unexpected texts, even if they appear to be from Afterpay
- Never share verification codes received unexpectedly
- Contact Afterpay directly through official channels if you’re unsure about a message
- Report suspicious messages to Afterpay at [email protected]
Preventative Measures
- Enable two-factor authentication on all financial accounts
- Regularly monitor your bank statements for unauthorized transactions
- Use unique, strong passwords for different services
- Consider using a password manager to maintain different complex passwords
- Keep your phone’s operating system and apps updated to benefit from security patches
If You’ve Already Clicked a Link
- Change your banking passwords immediately
- Contact your bank to report potential fraud
- Monitor your accounts for suspicious activity
- Check if other accounts using similar passwords may be compromised
- Consider placing a temporary freeze on your credit
Frequently Asked Questions
1. Is Any Unexpected Afterpay Text Legit?
While Afterpay does send verification codes for legitimate account actions, unexpected texts—especially those received without initiating any Afterpay activity—are highly suspicious. Afterpay has confirmed that many people have received fraudulent messages, and they recommend ignoring unexpected texts.
2. What Should I Do If I’ve Shared My Banking Information?
If you’ve entered banking credentials on a suspicious site, immediately:
- Change your online banking password
- Contact your bank’s fraud department
- Place alerts on your credit file
- Monitor all accounts closely for unauthorized activity
- Follow your bank’s recommendations for compromised accounts
3. Why Did I Receive a Verification Code If I Don’t Use Afterpay?
Scammers often attempt to create accounts using randomly selected or purchased phone numbers. The verification code you received could be the result of someone trying to set up an account using your number, or it could be part of a mass messaging campaign targeting thousands of numbers simultaneously.
4. Can Scammers Access My Account Just From My Phone Number?
No, scammers cannot access your accounts with just your phone number. However, they may:
- Attempt to use it for identity verification purposes
- Try to conduct SIM swapping (transferring your number to their device)
- Use it as part of social engineering attempts to gather more information
5. How Can I Verify If Communication From Afterpay Is Genuine?
Never use contact information provided in the suspicious message. Instead:
- Log into your Afterpay account directly through the official app
- Contact Afterpay through their verified customer service channels
- Check the official Afterpay website for announcements about known scams
- Verify that email communications come from official Afterpay domains
Afterpay’s Response and Security Measures
Afterpay has acknowledged these scam attempts and provided guidance for users. According to their official statements, the company:
- Has “sophisticated tools to monitor and respond to these events”
- Collaborates with information security industry peers and government agencies
- Recommends users report suspicious messages to [email protected]
- Advises customers to follow guidance from the Australian Government’s Scam Watch website if they’ve clicked suspicious links
For non-users who received verification texts, Afterpay has confirmed that in many cases, no accounts were associated with their phone numbers, suggesting these were either system errors or part of scam attempts that didn’t progress further.
The Broader Threat Landscape
The Afterpay scams represent just one facet of a growing threat landscape targeting financial services users. Buy now, pay later services have become particularly attractive targets for fraudsters due to their rapidly growing popularity and the potential for quick financial exploitation.
Security experts warn that these scams are likely to evolve, potentially incorporating more sophisticated social engineering techniques and leveraging artificial intelligence to create more convincing messages. Staying informed about the latest scam techniques and maintaining healthy skepticism about unexpected messages claiming to be from financial services is your best defense in this changing environment.
Stay vigilant, verify through official channels, and remember that legitimate companies will never ask you to provide sensitive information through unsolicited communications.
