Beware of the Avengers Endgame phishing scams

Marvel - Avengers: Endgame
Marvel - Avengers: Endgame
Credit: Screen grab from Avengers: Endgame Official Trailer

If you are a person who doesn’t mind waiting until the Avengers hype dies down before stepping into the cinema or find out the ending, you should be safe from this scam. But for those who cannot keep their excitement in and also couldn’t get a ticket, listen up!

There’s an Avengers Endgame phishing scam going around, and as much as we want to say that it takes an innocent person to believe in the fraud, we should never underestimate the desperation to watch the Endgame.

How does the Avengers phishing scam work

Scammers first create multiple websites with the promise that you will get to stream the full movie. Upon clicking the online-player icon, you are given some time to watch a short scene from the film, which is actually from the trailer.

A few seconds in, you will be redirected to a page, requesting you to key in your personal information, including your credit card details and CVV. To eliminate your remaining doubts, the websites also reassure you that they are collecting these details for validation purposes and to make sure that you are a real person.

Once you’ve provided the necessary information, it’s the Endgame for you as criminals can use them to steal your funds.

Tatyana Sidorina, a security researcher at Kaspersky Lab said:

“Social engineering methods are aimed at exploiting people’s emotions. An influential and much-loved franchise with an enormous global fan base seems like the perfect target. The temptation to take a few security short cuts in order to be able to watch a long-awaited movie and not have to worry about spoilers or sold-out tickets can prove irresistible to loyal fans; that is what the attackers prey on,” says Tatyana Sidorina, a security researcher at Kaspersky Lab.

To help prevent yourself from falling victim to the scam, here are some advice from Kaspersky Lab.K

  • Do not click on links in emails, texts, instant messaging or social media posts if they come from people or organizations you don’t know. Check for suspicious or unusual addresses when any personal or financial information is asked for, legitimate ones should start with ‘https’∙  Phishers often exploit emotions. Signs that there could be phishers at work include messages that are unduly threatening (warning of a potential fine or other penalties, for example), demand immediate action, ask for vast amounts of very personal and seemingly irrelevant information, or simply sound too good to be true
  • Have a separate bank card and account with a limited amount of money specifically for online entertainment. This will help to avoid serious financial losses if your bank details are stolen
  • Use a reliable security solution for comprehensive protection from a wide range of threats, such as Kaspersky Security Cloud