This week, we go off-piste with our usual format and look at two friends who have been scammed. The common theme for both is that it involved large financial losses.

In a 2018 Compare the Market survey that looked at bank account fraud, they found that 1 in 10 UK adults had been fraud victims. With, bank and credit card theft resulting in around £2 billion worth of losses in the UK alone.

This is a tale of two people I know who unfortunately became part of those statistics.

Carrie’s Tale: Bank Fraud

Carrie is a frequent traveller, for both work and pleasure. Sometimes she is out of the country for several months at a time. When she is away, she asks her father to open her mail and generally check everything is ticking along. On a recent trip, she received a call from her father worried after reading her bank statement. This is what happened.

Carrie’s father let’s call him, Jack, had a shock when he saw that her statement had a payment amounting to several thousand pounds for flights to Australia. He was initially confused as he knew Carrie was in Morocco.

Jack called Carrie’s bank, but the bank refused to deal with him as he was not the account holder. After Jack spoke to Carrie, she called the bank herself. The bank listened to her story and did some checks. It was clear that Carrie was indeed in Morocco and had not paid for, or taken any flights to Australia.

In Carrie’s case, the bank refunded her lost money. However, this might not have been the case. According to the Financial Conduct Authority (FCA) the bank has a right to withhold any refund if they believe you were in any way negligent. This act of negligence is open to interpretation, but there are rules which place’s onus on the bank to prove this negligence.

The question left with Carrie was “how did the fraudsters get her bank details?”

This is still not known but there are two theories:

1. Carrie used an Internet Cafe in Morocco. There, she logged into her bank account and other accounts. It is possible there was keylogging malware installed on the computers. This, however, would not in itself point to bank account takeover, as Carrie’s bank used a passphrase as a second factor. Which brings us onto the next possibility
2. A bank trojan may have been installed on the computer she was using. This malware intercepts bank interfaces, then presents a spoof bank login screen. This spoof login screen would then have allowed the fraudsters to intercept the login credentials/tokens. These real credentials can then be used by the cybercriminals during a re-direct to the real bank account, thereby logging into Carrie’s account. They could then get the details needed to pay for flights to Australia.

You may have your own theory?

Steve’s Tale: Identity Theft

Steve is a security professional. But even security professionals fall foul of fraudsters. In Steve’s case, fraudsters took out a loan of £10,000 in his name. Here is what happened.

Steve received a letter in the post from a credit file agency. This agency had posted him a password to complete his “recent account creation” process. Steve was confused, he couldn’t remember creating an account with this company. Alarm bells sounded.

Steve logged into another credit report portal he frequently used to check his credit file. He instantly noted a £10,000 loan was placed against his name. He called the company who had made the loan immediately. On explaining the situation, he was put through to the company’s anti-fraud team.

The anti-fraud team went through the case with Steve. As it turned out, they had been alerted to the loan possibly being fraudulent as there was a mismatch with some of the data used to apply for the loan. The team already had an alert out and were awaiting confirmation from the loan applicant before fully processing the loan.

Steve had been very lucky. He had caught the fraudster at the right time, alerted the anti-fraud team, who were already suspicious, and the loan was withdrawn.

The question Steve posed was “how did the fraudsters get his details?”

Fraudsters can purchase stolen personal data available after data breaches.

Go to:

https://haveibeenpwned.com/

and enter the email address that you often use to set up accounts. You will see if that email address, and associated personal data, has been exposed.

When the fraudster in Steve’s case tried to set up an account with the credit file agency, they were likely trying to find additional data, not available from a breach, to complete a profile. Fortunately, because of the credit file agency diligence in completing the account process, the fraudster failed. Although the cybercriminal still attempted to take out the loan, alarm bells had rung in both Steve’s ears and those of the anti-fraud team at the loan company. This time, the loan was prevented.

The moral of both tales is to be vigilant. Some other basics of security awareness are:

1. Always be vigilant when using public computers or public Wi-Fi; ideally, do not log into bank accounts on public computers
2. Check out The Defence Works post on “Staying Safe From Scams No Matter Where You Live”
3. Shred any paper that has your address, financial card details, or other identifying information
4. Keep up to date with your financial accounts using a credit reference agency report
5. Install anti-malware on your own computer
6. Keep your software up to date and patched

– Watch our hilarious security awareness training –

Why not help your colleagues stay safe and send them this little reminder. Feel free to edit, copy/paste the advice below:

Bank and Loan Scams

Over £2 billion was stolen from UK victims in 2017-218 according to Compare the Market research. Here are some basic steps to avoiding financial fraud:

1. Always be vigilant when using public computers or public Wi-Fi; ideally, do not log into bank accounts on public computers

2. Check out The Defence Works post on “Staying Safe From Scams No Matter Where You Live”

3. Shred any paper that has your address, financial card details, or other identifying information

4. Keep up to date with your financial accounts using a credit reference agency report

5. Install anti-malware on your own computer

6. Keep your software up to date and patched

Don’t forget to share this with your colleagues and friends and help them stay safe.

Let’s keeping breaking scams!

Want to learn more about empowering employees with security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.