Partner and I Both Received Afterpay 2FA Codes but We Don't Have an Account?

Neither of us have after pay accounts and we received SMS security codes a few days apart

Is this a new scam running around?

Related Stores

Afterpay
Afterpay
Third-Party

Comments

  • +1

    I got one late last night too. The message is from a non-replyable SMS code "Afterpay".

    Never used (or attempted to use) Afterpay before, so I'm not sure if the message is actually coming from Afterpay (as a result of someone trying to create/verify an account) or a third party.

  • +1

    Same here, got one last night. Never used or tried to create an account.

  • +1

    Hmmm, interesting. Also got one. Something's up.

  • i received one the other day, too.. called up Afterpay to confirm that no account had been set up using my number

  • My initial thought was that someone might've typed their phone number in correctly (and got mine instead), but there seems to be a few here already so unlikely just fat fingers.

  • Got one this morning, never made an account either.

  • A quick Google search indicates that yes it is a scam, there is a link behind the code.

    • +1

      there is a link behind the code.

      What link? I can't seem to click on anything in the message.

      • -1

        Not an actual link per say, but the code could be "tied" to a scammer's account.

        Only thing I can guess atm, it's a referral code that they have spammed to a huge list of mobile numbers. anyone that signs up using that code, they pocket $30 from afterpay

        Invite a friend, get $30 off.

        Once they sign up and make their first purchase*, you get $30 off your next purchase.

        https://www.afterpay.com/en-AU/refer

        • +1

          In the message I've got, it actually says "Your Afterpay verification code is…"

          To me (and I could be wrong), it looks more like a 2FA code rather than a referral code.

    • +2

      There is no link behind the code it's just plaintext

  • Too many people have had this to be a coincidence now. It’s definitely a potential scam or dry test for one.

    • Yeah definitely not incorrect numbers

  • I got an email too but based on above comments, only people who don't actually have Afterpay accounts got the email.

    Be good to know if the email looks the same as a genuine Afterpay 2FA email from someone who actually has an Afterpay account.

  • It's an old way of loading Pegasus spyware onto devices, can read about it here:
    https://en.wikipedia.org/wiki/Pegasus_(spyware)

    Guessing the common thread amongst people that got it was iOS ;)

    • Also probably Australians? What a coincidence!

    • I'm on android but partner is on ios.

      What're the chances that this actually did steal information?

      • +1

        No idea, how locked down are devices?

        All that is required to defeat current versions of Pegasus is software that blocks (and notifies) any attempt to open ROOT access of the device (like Kaspersky multi-device licenses, etc). Most Android manufacturers (but not iOS) now block ROOT access, but some still allow it :/

        • Just bog standard iphone and Pixel 5 with updated software. nothing special.

          • @coffeeinmyveins: Well there is one plus, Google does not allow root access via software ;)

            • @7ekn00: Are you seriously trying to imply that Android is more secure than iOS? What are you trying to achieve with this misinformation?

    • Doesn’t Pegasus require you to open a link?
      There is no link in this text.

      • Nope, read the Wiki, that was 2016 versions … 2019 versions work just by sending a message to your device … and who know how the 2022 versions work!

        • I just had a look and it is a no click exploit like you described

    • Androids here.

    • Wife received one yesterday - she uses Android.

  • Partner got one the other night, just told her to ignore it as she doesn't have Afterpay

  • -1

    Received it this morning as well and had already seen reports of it last night on reddit.

    Interestingly I now can't unlock my phone via biometrics. Could be a coincidence as android does insist you unlock via password occasionally but a little concerning given the timing.

    Could also be Afterpay spamming subliminal advertising. Getting people to think/talk about it and those not aware of it to learn about it and perhaps sign up.

    • Could also be Afterpay spamming subliminal advertising. Getting people to think/talk about it and those not aware of it to learn about it and perhaps sign up.

      I seriously doubt that

    • Yes you need to use password every 72 hours or something.

  • +1

    I just activated a new sim and got the text, sent to the number before the number was activated!

  • I got the SMS to an Android phone earlier this morning.
    My AfterPay account has a unique email (with a complex password) so I think they have mobile numbers not linked to an actual AfterPay email address.
    And people without AfterPay accounts are receiving the SMS.

    So, it looks like someone is churning through mobile numbers from a previous breach, and using the AfterPay login page to send 2FA verification codes to these numbers.
    If the AfterPay 2FA SMS's were being used to spread a a no click exploit, how are the attackers adding the payload to SMS's generated by AfterPay?
    I'm not sure what the endgame is here.

    If anyone has worked it out, please update here.

    • Actually, it was my wife mobile (who does NOT have an AfterPay account), who received the SMS, not my mobile.
      So they are not targeting actual AfterPay account holders.

      They are churning through a list of mobile number, for some reason….

  • +1

    Received this text too, came through either last night or this morning. I have never used AfterPay so deleted it.. This text came through on a number I have never given out it’s purely to hotspot data (esim).

    • Same here, text came to a number I only use for data and have never used the phone number itself.

  • Received at 6:20 am today. Blocked the number as I have no intention of using Afterpay.

    • The ones received here came as a shortcode or whatever they call it, no number just from Afterpay

  • 18/07 09:41
    Your Afterpay verification code is: 378871

    Code is a hyperlink on mine, but phone doesn't go online. Clicking it just gets "Call, Send message…" action list.

    • +1

      That would just be your phone interpreting it as a phone number.

    • Not a hyperlink. some phones (esp IOS) do this for numbers in SMS's. I see it all the time with 2FA codes

  • I have received code as well on my spare number which i have never shared with anyone. I am not using that number anywhere or afterpay…

    • Implying that the distribution list is just sending it to random numbers rather than anything specific.

  • 2 in my household received, both who have never used Afterpay. Quick google shows this happened a year ago and then people started piling on the same post after it happened again the other day.

  • Found this possible explanation on Reddit -

    https://www.reddit.com/r/Afterpay/comments/w12a9r/psa_afterp…

    What's happening? Well I checked the site and it will bring up a page to enter your phone number if you type any (even random) email address to login. A bot is probably trying to log in by using data from a breach or leak which had your information.

    • Possible.
      Even checking the haveibeenpwned site won't help, my email/phone is not listed there under any breaches, these can take a while to appear.
      good pick though

  • Relax, it’s just bill gates spreading the rona via the 5Gs

  • Merged from Someone Is Using My Mobile Number to Sign up for Afterpay & LatitudePay - Should I Be Concerned?

    I tried to Google but yield no results so hopefully someone here could help.

    6 days ago, I received an email from Afterpay saying someone is trying to create an account using my mobile number. I have an existing account with them so I logged in to check but everything seems ok, so I brushed it off as someone putting in their number wrong.

    Tonight I received a verification code from LatitiudePay. I do not have an account with them.

    Considering that both incidents occurred close together and both are related to "buy now, pay later", should I be concerned? Could they use it for something malicious?

    • +2

      Sounds very sus to me.

      I would be concerned.

    • should I be concerned?

      Not if you can afford it..

    • +3

      You can try calling up Afterpay & Latitude to let them know that this is your number & you didn't sign up for their service.

      The main risk is that the person fails to pay their debts, and then you'll be driven crazy by constant calls from debt collectors.

    • +2

      DUPE

      I tried to google but yield no results

      Ozbargain forum search yields better results than google.

    • +1
      • yep that's it, thanks

    • I guess the latitude pay one could have been a scam, the afteroy could have been true but it could also be scam. Either way, do not click any links. If the afterpay email looks genuine call them to verify

    • I got one tonight too, never used latitude

    • I did too. Just shrug it off 😷💪🏿

    • If you do not care about you identity that has been stolen and then used to open fraudulent accounts then there is nothing to worry about.

    • +2

      Happened similar incident to me except it was text message to my phone. I wrote to them and this is what they sent back,

      Thanks for taking the time to let us know that you unexpectedly received a text message that appears to be from Afterpay.

      We are aware of these unsolicited text messages and we have sophisticated tools to monitor and respond to these events.

      We collaborate with our peers across the information security industry, including government agencies, to address phishing scams. We appreciate reports like yours to help us identify and shut down offenders who misuse legitimate brands for fraudulent purposes.

      You can safely ignore unexpected text messages that appear to be from Afterpay. If you have clicked on any links contained in unexpected text messages, please follow the advice on the Australian Government’s Scam Watch website at www.scamwatch.gov.au.

      • I wrote to them

        As in pen, paper, envelope and stamp?

        Thanks for the memories.

        • You forgot the best part…
          ….licking the glue strip.

          • @[Deactivated]: back in the day I remember there was a village rumour going around that the stamp glue could make men infertile and freaked everyone out 🤪😝

        • Wish I could do a ms paint diagram for illustration on how I did, but am using iPhone to write (type 😝) this message.

      • Same here, I received an Afterpay SMS a few weeks ago. No links or anything in the message, just a verification code - I've never had an account with them, and never used any "Buy now, pay later' services either. I emailed Afterpay and received the same response you did. I've checked all my bank accounts, credit cards, phone account etc and haven't been able to find anything out of the ordinary.

    • Is there a link that the messages are asking you to click on? If so, then scam.

    • i also received an sms from afterpay a while back. apparently it was widespread according to reddit

    • Yep, I also got one last night.
      Looks like a 2FA code, there's no link.
      I have no LatitudePay account

      Looks like this is the relevant comment from the similar post linked up above
      https://www.ozbargain.com.au/api/folder/list/c?tid=12422132

      It's a zero click exploit, so just receiving the message while running a compromisable firmware version could be sufficient to be infected.

    • Yeah that was me, can I have the verification codes please?

  • I had this 2FA authentication code and i have Afterpay acct. then yesterday early morning ilI woke up to a code from LatitudePay. Both received from my iphobe work phone 😷😂

Login or Join to leave a comment