The Bamba warning: the fictitious advertisement that brought down the Israelis

The message was constructed to look like an innocent marketing activity of a well-known brand. It includes a picture identified with Bamba, simple questions, colorful answer buttons and a promise to receive a cash prize in a short time. At the bottom of the page there may appear comments from “winners”, who say they apparently received the voucher and encourage other users to participate.


Warning of the national cyber system for advertising to Bamba | Photo: Maariv Online

These responses are designed to create a sense of credibility and reduce suspicion. The user sees other people telling about winning, a picture of a familiar product and an interface that looks professional, and therefore may assume that this is an official promotion. In practice, there is no guarantee that the comments were written by real people or that the promotion is related to the Bamba manufacturer.

The first step in a sting is usually to attract the user to a website that pretends to be an official page. After answering a few simple questions, the site may inform the user that he won the prize. In the next step, he may be asked to provide his full name, phone number, e-mail address, residential address or other details for the purpose of “delivering the voucher”.

In some phishing attempts, the user is asked to enter credit card information, sometimes on the grounds that a nominal payment is required for delivery, identity verification, or activation of the prize. In other cases, a verification code is sent to the phone and the user is asked to transfer it to the website. Such a code may allow attackers to take control of an account, authorize a financial operation or connect to a digital service on behalf of the victim.


Bamba | Photography: istockphoto

Sometimes the last requirement on the way to receiving the prize is to share the message with several friends or groups. In this way the victims themselves spread the sting further, and the message reaches people who know and trust the sender. The fact that the link was sent by a friend or relative does not prove that the offer is real, since they too may pass it on after falling into the trap.

The cyber system recommends not clicking on links to promotions that arrive in chain messages, even when they include a familiar logo or are sent from a familiar person. Instead of entering through the link, you should independently open the company’s official website or its verified pages on social networks and check if the sale was actually published there.

Other warning signs are a promise of an expensive prize for a simple action, a countdown, a message that the number of winners is limited, a demand to act immediately, or a request to forward the message to more people. An unusual website address, spelling errors, strange wording or switching between several pages before receiving the award should also arouse suspicion.


Phishing, illustration | Photo: REUTERS/Dado Ruvic

Do not provide an ID number, password, one-time verification code or credit card information following such a message. Commercial entities, banks and credit companies should not ask customers to transfer a verification code received over the phone in order to win a prize. The code is intended for the user only, and handing it over to another person may allow an account operation to be performed.

Those who clicked on the link but did not enter any details should close the page and not download files or install applications offered on it. It is recommended to check if an unknown file has been downloaded to the device, delete it without opening it and make sure that the operating system and browser are up to date.

Those who provided a password should enter the real service through the official website or app, immediately change the password and disconnect from active connections on other devices. If the same password is used in other accounts, it must be changed in them as well and two-step verification must be activated.


Online payment Photo: Shutterstock) | Online payment Photo: Shutterstock)

If credit card information has been provided, contact the credit company as soon as possible, report the disclosure and check whether any unknown charges have been made. If a verification code related to a bank account, digital wallet or financial service is provided, contact the relevant body immediately and do not wait for a charge to appear.

The suspicious message should not be passed on, not even with a question as to whether it is real. It is recommended to block the sender when it is an unknown number, use the report option of the applet and inform the person from whom the message was received if it seems that he distributed it in good faith.

For any suspicion of a cyber incident, you can contact the 119 center of the National Cyber ​​System, which operates to receive reports from citizens and organizations and to provide an initial professional response. In the case of theft of money, an unknown charge or suspicion of a criminal offense, you should also contact the bank, the credit company and the police as necessary.

By Editor