phishing campaign is targeting users of the UK-based digital banking company Monzo, BleepingComputer reports. Security researcher William Thomas came across an SMS phishing (smishing) campaign that’s sending text messages that purport to come from Monzo.

“The users are taken to a phishing site that displays a fake email login form and then requests information about their Monzo account, including full name, phone number, and the Monzo PIN,” BleepingComputer says. “If these details are provided, the threat actors now have everything needed to begin taking over victims’ Monzo accounts. When installing the Monzo app on a new device, like the threat actor’s smartphone, the service sends a device verification link for the first login to the user’s email address. As the threat actors now have access to victims’ email accounts, they can click on this ‘golden link’ and verify their device, giving full access to the Monzo account. The severity of gaining access to this link is illustrated in the emails sent by Monzo, who warn that the link should never be shared with other people.”

Thomas wrote in a blog post that the attackers can then attempt to bypass users’ multifactor authentication to gain access to their accounts.

“These details are enough to compromise a user’s email account and Monzo account,” Thomas wrote. “Additional social engineering steps might be involved, but there are many one-time passcode (OTP) stealing bots and other guides on how to trick victims into giving up access to the attacker.”

BleepingComputer explains that Monzo has a process for contacting users that users should be aware of.

“When Monzo wants to inform users about anything, it uses built-in app notifications or the account portal on the official website,” BleepingComputer says. “Monzo doesn’t use SMS to send notifications, and the platform would never urge users to follow any links from outside the app. If you’ve tapped on these links and provided any login details to the actors, reset your account passwords immediately and activate MFA on both your email and Monzo accounts.”

Multi-factor authentication is an important layer of defense, but users should know that it’s not foolproof. New-school security awareness training can enable your employees to recognize social engineering attacks.