Fraud – It started with a Tweet

Fraud – you can never be too careful

Hardly a week goes by when we don’t hear another story about online or telephone banking fraud.
In last weeks Guardian there was such a story, but this had a slightly different twist.

Winning your trust

For fraud to work, or so people tell me, you have to win someone’s trust
If you have ever experienced a fake tech support call you will know how sophisticated and plausible they can be.
They engineer the situation to win your trust by using phrases and names you know and recognise.
They will describe problems you have almost certainly experienced.
It is simply a numbers game. Sooner or later they will hit the right person at the right time.

But to take money from your bank account, they need a great deal more information and this can take time and effort to collect.. This process is sometimes called phishing.

Over a period of time the fraudster collects information about you and from you (‘the mark’) until they have a complete picture or sufficient information to make an attempt at fraud.
The more information you put into the public domain, the easier you make it for the fraudster to persuade you they are genuine.

The Scam

  1. ‘Michael’, an accountant, responded to a Twitter survey from his bank – The fraudster now knew the name of ‘Michael’s’ bank.
  2. As part of his response ‘Michael’ indicated that he had a specific problem, – The fraudster now had a subject for a conversation.
  3. Over a short period of time, the fraudster made several calls to ‘Michael’s’ company from a phone number that was the same as the bank’s – The fraudster was using a technique known as spoofing.
  4. The fraudster knew the banks customer service style and conducted themselves in the same manner.
  5. Each phone call required an account verification check, were ‘Michael’ was asked for two of his password letters. Slowly, but surely the fraudster was able to acquire ‘Michael’s’ password.
  6. Finally, the fraudster transferred £ 9,200.00 from ‘Michael’s’ account.

If you would like to read the full article, you can find it on the Guardian’s website.

Is anyone to blame?

Well certainly the fraudster.

‘Michael’ did give away his password freely.
To be fair to the bank’s (yes I know we shouldn’t), they do warn us to be suspicious of calls where we are asked for passwords etc.

But what about the bank?
Should they have conducted a survey over Twitter?
In doing so, they basically invited a customer to tell a fraudster who they banked with.
An important piece of information that enabled a fraud.

Conclusion

Many organisations have verification systems for inbound calls, but verification systems for outbound calls seem to be a lot weaker. In some cases it is the exact same process.

As a general rule, If someone calls me and asks me to prove who I am, I simply refuse. I can always call them back.

This story reinforces a point I make to all of our clients.
Never reveal any information to anyone who does not need to have it, no matter how innocent it might seem.
In our connected world, there are too many vulnerabilities and anything we put in the public domain simply makes it easier for the fraudster or hacker.