Financial platform Payoneer blames account hacks on phishing campaign

The global payments processing company Payoneer attributed reported hacks on customer accounts to fraudsters tricking users with phishing links.

Dozens of people in Argentina took to social media over the last week to complain that their accounts had been broken into. Several people said their passwords were changed and accounts drained of all funds, with many reporting thousands of dollars in losses.

Multiple people said last week they began to receive text messages asking for password resets for their Payoneer accounts. Even those who did not click on the links in the text or approve the password reset said they opened their account to either find themselves locked out or to see their money gone.

In a statement to Recorded Future News, a spokesperson for Payoneer attributed the campaign to alleged fraudsters who “lured a very limited number of customers to click on links to phishing sites and provide their account credentials.”

“Unfortunately, some customers clicked on these fake links and shared their account login information with fraudsters or encountered newer modes of fraud that compromised their mobile phones,” the spokesperson said.

“We took swift action to contain the attempts at fraud from spreading. We take fraud prevention very seriously and we work closely with regulators, mobile carriers, and law enforcement agencies on an ongoing basis to help combat financial crime. We also continue to actively educate our customers on how to keep their accounts safe and protect their confidential information.”

The spokesperson did not respond to requests for comment about what victims are supposed to do now that their funds are gone,and it is still unclear how the hackers were able to bypass several layers of security to conduct the attacks.

The issue was first reported by Argentinian journalist Juan Brodersen and BleepingComputer.

On social media, many customers are urging each other to remove their funds from the platform until Payoneer provides more information about why this campaign was so effective.

In the past, security experts have spoken out about issues with SMS-based two-factor authentication.

After a previous incident involving an Instagram-focused phishing campaign, KnowBe4’s Roger Grimes noted how easy it is to hack and bypass most multi-factor authentication solutions people use.

“Sadly, in general, 80% of the MFA solutions people use are phishable. And everyone, when given a choice, should switch to phishing-resistant forms of MFA. Even CISA, Google, and Microsoft, are starting to try and push their customers to more phishing-resistant forms of MFA,” he said.

“The whole reason we are being told we have to use MFA is that our passwords are too easily stolen, usually by phishing. And if the MFA solution you are told you have to use is just as phishable, did you really gain any security?”