Phishing scams on Blablacar: how not to be tricked

A wave of phishing is currently sweeping through the unmissable carpooling service Blablacar. The phenomenon was recently highlighted by a journalist, Valentin Hamon-Beugin, who almost got tricked and recounted his experience on Twitter. Dozens of other users came forward spontaneously in response. This is proof that there is a whole underlying machinery.

The attack scenario is as follows. Bogus accounts offer trips at particularly low fares. If a user takes the bait, hackers will first validate the trip and then cancel it. Then they contact him outside the Blablacar service, for example on WhatsApp. Indeed, when a trip is validated, the contact number of the traveler becomes visible to the driver and vice versa.

On WhatsApp, hackers invent a canard to explain that the transaction could not be made. Generally, they invoke a technical problem on the online service side. They then send a link to finalize the transaction. The URL of this link and the web page displayed usurp the identity of Blablacar, in order to put the person in trust and encourage him to enter his bank card data. In reality, it is obviously a site set up from scratch by hackers who, suddenly, can intercept these bank details and make fraudulent payments at much higher amounts, in the order of several hundred euros. euros. Sometimes these transactions are carried out in rubles!

To avoid being tricked, just follow a few simple rules. Thus, it is necessary to avoid communicating with the driver outside of the Blablacar application, which includes instant messaging. If you are still contacted by someone outside the app, you should never click on a link they send you, let alone complete a payment transaction. Finally, preference should be given to drivers who have a solid profile, with a travel history and where the identity card has been verified.