Fraud Alert: Smishing Mastercard Holders

We are aware of an active smishing campaign—fraudulent text message scams— targeting Mastercard cardholders in Costa Rica.

These messages contain a malicious URL that impersonates Mastercard in an attempt to deceive recipients. When accessed on a mobile device, the link directs victims to a fake “Mastercard Priceless” webpage designed to collect personal and financial information. While we have not observed indications of similar activity beyond Costa Rica at this time, there is potential for this activity to expand or shift to other geographies.

Financial institutions should be aware that cardholders may reach out with questions or concerns after receiving these messages and may elect to take preventive actions based on their individual risk assessments.

How the scam works

• Fraudsters send text messages that appear to come from Mastercard or other legitimate organizations, often using urgent language such as rewards expiring, suspicious activity, or account issues.

• The message may include a link to a fake website that prompts potential victims to enter card details, personal information, or login credentials which are collected by threat actors.

• In some cases, the text message could include a phone number that prompts the victim to call, unknowingly connecting them directly to the fraudster rather than their bank, where they are then asked to provide sensitive personal and financial information.

• Threat actors then exploit this information to conduct fraudulent transactions against the victim’s bank account or to commit identity theft.

Warning signs to watch for

Card or account holders may report text messages that:

• Create urgency or pressure to act immediately (“points expiring” or “account suspended”)

• Contain links or request personal or card information via text message

• Come from unfamiliar or unexpected phone numbers

• Direct users to websites that resemble Mastercard branding but are not legitimate Mastercard domains.

Potential guidance for card or account holders

Issuers should consider providing the following guidance to card or account holders, in the event that they receive a suspicious test message claiming to be from Mastercard or another entity discussing Mastercard:

• Do not click links or respond to the message

• Do not provide personal, card, or account information via text message

• Report the message as spam to their mobile provider and delete it from their device

• Contact their card issuer directly using the phone number on the back of their card or through the issuer’s official mobile app or website to verify any account-related concerns

• Contact local law enforcement if they believe they have been a victim of a scam Important reminder Mastercard does not ask cardholders to provide full card numbers, personal identification numbers (PINs), one-time passcodes, or login credentials via text message. Any message requesting this information should be treated as fraudulent