Considering it’s Halloween, I thought I would share some terrifying scam stories, and some tips on tools on how you can keep the ghouls at bay this festive season (having said that, hindsight is a wonderful thing!)
The Lecturer
It was 2020 and Jonathan Leakey1, from Ballymena in Northern Ireland, received a text message from his bank. It was clearly from the bank, because it appeared in the same stream of messages as other relevant bank text messages.
Jonathan was shocked to learn that his bank account had been compromised, and the kind souls at the bank wanted him to give them a call so they could help him out. After calling the bank, and speaking to a helpful lady called Tanya, Jonathan proceeded to provide Tanya (who had a very posh English accent) with the security information needed to prove it was him.
It was only after the call, that Jonathan realised that the real crime occurred, and that rotten Tanya had used the information provided to empty his bank account.
The Hook: Fear – Jonathan’s was led to believe he was in imminent danger of losing his money – and in this frame of mind, he was much less likely to question what he was being told.
With hindsight: All Bank cards have a number on the back of the card where you can speak to the bank. If you receive a message from the bank that you have been a victim of fraud, never use a number provided in an electronic message. Instead, call the number provided on your bank card. You can then be assured you are speaking to your bank.
SMS Spoofing
Terrifyingly, it was possible for a scammer to craft a message and use the SMS Sender ID feature to allow the message to masquerade as a genuine sender to fool Jonathan. The following example from which.co.uk2, shows a fake message hiding amongst genuine messages:
One would have thought this is clearly a vulnerability in the Sender ID system, and it was reasonable to assume that Jonathan getting his money back wouldn’t be too difficult. However, it took Jonathan 9 months to get his money back – and he actually wrote a book3 about how he had to fight to get it.
The Executive Whale
In 2016, an executive at Crelan Bank in Belgium4,5,6 had an interaction with someone from the technology department, through which the executive must have verified details that allowed the “technology department” to access his email.
Soon thereafter, staff at the bank received an email from the executive requesting wire transfers totalling €70m, which they dutifully executed.
If was not until an audit that it was realised that the instructions were, in fact, a scam, and the €70m was lost.
Note: In the above, I say must have, because the bank would not divulge the exact details of how the fraud occurred.
The Hook: Fear – someone masquerading as a senior executive asks you to do something and you know the email is valid. Would you pick up the phone and ask you chief executive to to confirm the instruction?
With hindsight: Although, as alluded to, calling an executive (or someone who works for the executive) to confirm that an email received from them is in fact genuine is a daunting task – it could have avoided this scam. If someone you knew well had sent the same email to you, you would most certainly confirm with them directly…! This illustrates how the (perceived) authority of the sender of an email can completely change how we respond to the message, and cause us to act in ways we otherwise wouldn’t.
Whaling
Whaling is a type of Phishing attack that directly targets senior people within a firm, as opposed to other types of attacks which often target multiple people within the same firm. Being able to pose as a senior executive, as we have seen above, gives the message lot more weight and influence within the targeted firm.
The Grandmother
Sylvia Wilson, a grandmother (who had helped to rehouse homeless people until she partially retired after suffering a heart attack), had been in communication with her Solicitor and Estate agent for some time over the purchase of a property for more than £300k. This was her plan for the future, and the sum total of all the money she had. She was using the money through the sale of a larger home to buy a smaller flat in London to be nearer her grandchildren.
The estate agent explained that the sale of the property had been brought forward and requested the transfer of the money to a given bank account, which Sylvia did.
Sylvia ended up in tears7 when she went to the estate agent only to find they knew nothing of her home purchase.
It was only through the intervention of the Guardian that Sylvia was reimbursed by the bank, and only after they pointed out there were several points at which the bank could have prevented the fraud. What was particularly galling was that a system (called “Confirmation of Payee”8) that was due to go-live in 2019 has been delayed. This would have prevented the fraud.
The Hook: Hope – Sylvia was advised that the closure date for the house purchase was being brought forward.
With hindsight: A phone call to either the solicitor or estate agent would have confirmed that the communication was fraudulent.
Push Payment Scams
This is an example of an “Authorised Push Payment” or APP scam (£583.2m in APP fraud was committed in the UK in 2021, as reported by the Guardian9). In this case, Sylvia’s emails had been hacked, and the fraudster was able to inject themselves into an email conversation Sylvia was already having with her Solicitor and Estate Agent. To do so, the fraudster deleted real emails, and crafted authentic looking emails in their place to redirect Sylvia’s money elsewhere.
Conclusion
The impact fraudsters are having in the UK, and elsewhere, is increasing significantly year-on-year. The methods fraudsters are using are becoming ever more sophisticated, with eye-watering sums of money being lost.
All of these attacks could have been prevented by contacting person(s) or companies directly to verify that their communications were genuine. Always verbally verify large transactions, and always call companies back on their official phone numbers instead of relying on phone numbers provided in text messages.
And if you get an email from the Crown Prince of Brunei telling you he needs help to get millions transferred and will give you a cut …. he needs to find a better banker.
And finally….
The Guardian reported in June, 20229 that UK Victims had lost a total of £1.3bn, amid a surge in online fraud. This was a 39% increase in cases over the previous year.
Less than 8 months after posting the article the Guardian, no stranger to electronic fraud, reported that they themselves had fallen victim to a ransomware attack9 that resulted in many staff being prevented from going into the office until it was confirmed that the servers and PC has been cleared of the virus.
Helpful Tools
Who Called Me can be used to find more information about a phone number before you call it back. It can identify scam telephone numbers, and nuisance callers.
I used this service recently on a number from Edinburgh I didn’t recognise, and after seeing what it was for, I simply blocked it:
TPS (Telephone Preference Service)
You can register your landline or mobile number with this service. This is basically what would have been called an “ex-directory” list when we all still used phone books! It is incumbent on telemarketers in the UK to adhere to these
References
1“Fraud victim: ‘I got the shakes every time I went online’ – BBC News” (BBC, 2020, Fraud victim: ‘I got the shakes every time I went online’ – BBC News)
2“Text scams epidemic laid bare: seven in 10 don’t trust messages from companies” (Which.co.uk, 2021, https://www.which.co.uk/news/article/text-scams-epidemic-laid-bare-seven-in-10-dont-trust-messages-from-companies-aHg2m3N3kcHJ)
3“Scam Survivor – How one victim fought back” (GoodReads, 2020, SCAM SURVIVOR: HOW ONE VICTIM FOUGHT BACK by Jonathan Leakey | Goodreads)
4“The five most expensive scams of all time” (Checkpoint, <article not dated>, The Top 5 Phishing Scams of all Time – Check Point Software)
5“Lokte e-mail van ‘de baas’ Crelan in zware fraudeval?” (De Standaard, 2016, https://www.standaard.be/cnt/dmf20160120_02079337)
6“Crelan slachtoffer van zware fraude” (De Standaard, 2016, https://www.standaard.be/cnt/dmf20160119_02077042)
7“Homebuyer loses £300,000 to fraudsters – but gets it back after we step in” (The Guardian, 2020, Homebuyer loses £300,000 to fraudsters – but gets it back after we step in | Scams | The Guardian)
8“Confirmation of Payee” (pay.uk, <article not dated>, Confirmation of Payee – Pay.UK (wearepay.uk))
9UK Victims lost £1.3bn in 2021 amid surge in online fraud, new data shows (Guardian, 2022, https://www.theguardian.com/money/2022/jun/29/uk-victims-lost-13bn-in-2021-amid-surge-in-online-new-data-shows)
10Guardian Newspaper hit by suspected ransomware attack (BBC, 2022, Guardian newspaper hit by suspected ransomware attack – BBC News)
