How Phishers or Scammers Prey on Wise / TransferWise Users

Here’s a focused, practical guide on how phishers target Wise (formerly TransferWise) users, the red flags to watch for, concrete prevention steps, and what to do if you’ve been targeted or compromised.

How phishers prey on Wise users — common scams & examples

1. Fake “unauthorized transaction” / “verify your payment” email or SMS

   • Message claims a payment is pending or your account was charged; asks you to click a link to “review” or “cancel.”

   • Link goes to a fake site that looks like Wise and asks for login credentials or a 2FA code.

   • Example text: “We’ve detected suspicious activity on your Wise account. Click here to secure your account: [fake link].”

2. Account migration / verification scam

   • Claim: “We’re upgrading systems — you must migrate/verify your account or it will be locked.”

   • Goal: harvest credentials, identity documents, or payment details.

3. Refund / overpayment / escrow scam

   • Fraudster “sends” money to your Wise account or claims to — then asks you to return an “overpayment” or pay a “release fee.” If the original transfer was fake (phished or reversed), you lose the money you returned.

   • Common with marketplace sales, freelancing payouts, or private transactions.

4. Impersonation of customer support (phone / WhatsApp / SMS)

   • Caller claims to be Wise support and asks you to disclose a code sent to your phone (“to verify it’s you”) — that code is the phisher’s way to log in.

   • Or they ask you to install remote-access software or sign in while they “check” something.

5. Clone websites and typosquatting

   • Domains like “wise-secure.com” or “transferwise-login.xyz” mimic the real site. Visual design looks similar; small domain differences are the giveaway.

6. Fake job / investment / “high-interest savings” offers using Wise branding

   • Ads or DMs promise large returns and ask you to open an account or deposit via a link that’s actually a scam.

7. Social media / marketplace scams

   • Buyer/seller uses Wise branding to convince you to use Wise to receive/pay money; then uses overpayment/refund or fake proof of payment.

8. Phishing via OAuth / third-party integrations

   • Malicious “apps” request Wise permissions (via an OAuth prompt) to access your account. If you authorize, they can initiate transfers or view account details.

Red flags (quick checklist)

• Sender email domain is not @wise.com (or obviously spoofed).

• Generic greeting (“Dear customer”) instead of your name.

• Poor spelling/grammar or urgent scare language (“Your account will be closed in 24 hours”).

• Links that don’t match the displayed text — hover to preview URL.

• Requests for passwords, full identity documents, or 2FA codes via email/SMS/phone.

• Pressure to move money quickly, pay “fees” to release funds, or install software.

• Incoming “payment” with no record on your Wise app/account.

How to verify if a message or site is legitimate

1. Don’t click the link. Open the Wise app or type wise.com into your browser manually or use a saved bookmark.

2. Check the domain carefully. Look for subtle typos, extra words, or different TLDs (e.g., .net vs .com).

3. Check HTTPS and certificate (click the padlock in the browser to inspect). A padlock isn’t proof of legitimacy by itself, but mismatched domain + padlock is still suspicious.

4. Look up the message via official channels — open the Wise app’s notifications or official website, never via the link in the message.

5. Call Wise support using the number shown on the official website (not the number the message gives).

6. Check email headers if you know how — SPF/DKIM/DMARC failures are a sign of spoofing.

Concrete prevention steps

• Always use the official Wise app or wise.com (bookmark it).

• Enable 2-factor authentication (2FA) for your account and prefer an authenticator app over SMS when available.

• Use a strong, unique password and a password manager.

• Do not share 2FA codes, verification messages, or recovery codes with anyone — not even someone claiming to be support.

• Be skeptical of any “payment reversal” or “overpayment” requests — discuss directly in the platform where the transaction is recorded.

• Limit third-party OAuth grants and periodically review/ revoke apps you don’t recognize.

• Keep devices patched and avoid installing unknown apps; don’t install remote support tools at strangers’ request.

• Use browser anti-phishing protections and email filters.

• Educate buyers/sellers you deal with: insist on confirming payments in the official Wise transaction history (not screenshots or forwarded emails).

If you clicked a phishing link or gave details — immediate steps

1. Change your Wise password immediately (from a different, secure device).

2. Revoke active sessions (log out everywhere if possible) and revoke any third-party app access.

3. Turn off and re-enable 2FA (or change the 2FA method) so an attacker who got a code can no longer access you.

4. Check transaction history for unauthorized transfers. Note tx IDs, dates, amounts.

5. Contact Wise support right away from the official site/app and report the compromise — ask them to freeze or monitor your account.

6. Contact your bank or payment counterparties immediately if money moved — attempt to stop or reverse transfers.

7. Report the phishing to local authorities and national cybercrime/consumer agencies (FTC in US, Action Fraud in UK, etc.), and to your email provider.

8. Document everything (screenshots, email headers, phone numbers) for fraud reports.

How to report suspected Wise phishing (what to include)

When reporting to Wise and authorities, include:

• The suspicious email/SMS/WhatsApp text (full message, headers if email).

• The sender’s email address/phone number.

• The malicious URL (copy/paste) or screenshot.

• Date/time and any action you took (clicked link, entered password, sent money).

• If money was lost, transaction details and bank statements.

Sample short report text you can copy:

I received a suspicious message impersonating Wise on [date/time]. The sender was [email/phone]. The message said “[paste text]” and linked to [malicious URL]. I clicked / entered credentials on [yes/no]. Please advise — my account [was/was not] accessed. Transaction IDs: [list if any].

Example phishing messages (so you recognize the pattern)

• “WISE: Suspicious login detected from IP 82.45. Login now to verify: [link].”

• “Your transfer of $1,200 to John Doe is pending. Cancel transfer: [link]. If not cancelled within 2 hours, it will be processed.”

• “Wise Support: We require additional verification documents to keep your account active. Upload here: [link].”

• “Congratulations — you’ve received £500. To claim your funds, pay a release fee of £30 here: [link].”

Extra: technical defenses for organizations or heavy users

• Enforce OAuth app whitelisting and least privilege.

• Monitor for new login IPs/countries and require step-up verification.

• Use email authentication (SPF/DKIM/DMARC) and phishing simulation training.

• Use hardware security keys (FIDO2) for critical accounts.