This week’s scam is close to my heart. Settle down while I tell you a story…
About 18 months ago, I received a letter in the post; yes, remember those, snail mail still exists, and it is the saviour of my bank account. The letter was from a small ‘credit reference agency’ also known as a CRA; Equifax is an example. Credit reference agencies are companies that check data, like financial information, bank details, credit card use, that sort of thing, and then give you a ‘score’. This score is used by other companies to, for example, decide if you can be trusted to pay back a loan. CRA’s are involved in many other services too, including a number of identity checks when you create an online account – are you really you?
Back to that letter; the letter informed me that I just needed to use the enclosed code to complete my account and then I would be able to access my credit file and see my score, etc. Now, I already have one of these credit report accounts with a larger, more well-known, CRA. I opened that account many years ago because it is very useful to see an overview of my finances, see my credit score, and I can also see if companies have been performing credit searches on me. An account with a CRA contains a lot of personal data. All of my details like name, address, previous addresses, associated people (like a spouse) and so on. A CRA user account is a literal data goldmine.
So, when I received that letter saying I was in the process of setting up an account with the other CRA, I was puzzled. I immediately logged into my own credit report account and bingo, there it was. Someone had attempted to take out a personal loan for £10,000 in my name. But the loan was stuck, it was still pending. I could see from the account details that the loan was via a well-known financial company. I called said company and told them what was going on. The fraud department at the company replied saying that they had indeed flagged the loan as the phone number given was out of sync with my known phone number.
Long story short, the fraudster had known this and had attempted to open a credit report account using my details to try and get at my latest phone number on record. They failed because of the security of the small CRA company in question. If the CRA has been lax in security, the loan may have been approved.
Although this week’s scam is not the same story as my run in with fraudsters, it is related.
The CRA Account Phishing Scam
This week’s scam is a phishing email that looks like it represents major CRA’s, Equifax, Transunion, and Experian. It offers a free trial, creating an account which collates your scores from the big three. The trouble is, this is not real, it is a phishing scam after your data.
After the major breaches at TalkTalk and Equifax happened, anyone affected was offered a credit report account to keep watch on financial events in their life. So, the offer to have a free trial to check your credit score and report is tempting. This is what the fraudster is relying upon – temptation and the Fear of Missing Out (FOMO).
The email takes the typical form of a phishing scam; there are a number of clickable links.
What Happens When You Click the Link?
If you click the link you will either be infected with malware and/or data will be requested – if you enter any data, it will be collected by the cybercriminal and may be used to create a credit report account in your name. The end result, more fraud, lost money, as well as extreme annoyance and stress, while you sort out your finances and try and recover your identity.
As you can see from the analysis of this site, it is a critical security threat.
What Can You Do to Avoid Identity Theft?
Unfortunately, identity theft and data theft are all the rage. CIFAS, found an 8% rise in ID theft in the UK, in 2018. To avoid becoming a victim:
- Know what you are up against – use security awareness training for you your company, your family, your customers.
- Be phishing wary – proceed with caution if you receive an unsolicited email that wants you to click a link or download an attachment
- Set up a genuine credit report account and keep a watch on events
- Wherever possible, if supported by the service, use two-factor authentication (e.g. an SMS code needed as well as a password to log in)
It is a sad state of affairs that we have to be so vigilant, but this is the price of connectivity.
Why not help your colleagues stay safe and send them this little reminder. Feel free to edit, copy/paste the advice below:
CRA Account Phishing Scam
An email offering to create an account that collates your scores from the likes of Experian may appear in your Inbox. This is a scam, we very wary of any email of this nature.
DO NOT CLICK ANY LINKS IN THE EMAIL. BE EXTRA CAREFUL AS THERE ARE SEVERAL LINKS
For more information on what to do if you receive a phishing email check out “What to Do if You Click on a Phishing Link?”