Cyber-security experts, including a former FBI agent, have advised Scots to be ultra-cautious about unsolicited calls following the recent TalkTalk data breach, warning that phishing expeditions will be the fraudsters’ tactic of choice.
Customers of the telecoms giant have been reassured that their financial details were not compromised in the cyber- attack. But industry figures suggest the scammers could use other personal information to rip people off over the phone.
It comes as new research shows one in seven consumers have lost money to phone scams in the past year. The survey from CPR Call Blocking also found that one in eight fraud victims were cheated out of at least £1000.
Leo Taddeo, a former special agent in charge of the cyber division at FBI’s New York Office, told The Herald that crooks may ring up pretending to be TalkTalk representatives, aiming to direct you to websites that quietly download malware onto your computer.
This so-called trojan horse can then track your internet activity and pick up online banking passwords, passing them straight back to the criminal gangs. Mr Taddeo said: “Almost any type of malware can be injected by a website that has been purposely programmed to exploit a vulnerability in a web-accessed application.
“As consumers demand more functionality and features, unfortunately that has made applications more complex and harder to defend against malware.”
Richard Kirk, senior vice president at computer security firm AlienVault, said consumers can be tricked into visiting harmful websites by exploiting their lack of knowledge. “People can readily accept there is a problem with their internet service, especially when someone sounds technical or is offering to fix the issue for free. But once the user has been convinced to visit a rogue website, all sorts of bad things can happen.”
Mr Kirk said that callers could also trick you into downloading ransomware, a technique that was used to swindle a hairdressing business in Glasgow out of 1000 euros this month.
Ken Main, joint owner of Ellen Conlin Hair and Beauty, was forced to pay cyber-hackers, believed to be from Russia, after they locked him out of his own business database. The incident was reported a few days after Police Scotland urged small businesses to check whether they had downloaded the latest versions of their security software.
Other common phone rackets exposed by CPR Call Blocking this week involve PPI complaints, where victims are persuaded to pay upfront fees in order to apply for compensation, and virus hoaxes, where computer users are rung by a member of “Microsoft tech support” asking for passwords in order to fix a fictitious software problem.
Kris Hicks from CPR Call Blocking said: “Scam and nuisance phone calls continue to be a major problem for consumers and it’s often the most vulnerable people in society who are falling victim to telephone scams. It’s a worrying trend that most of us now prefer to be contacted by post or email rather than by phone when, in reality, most telephone contact is perfectly legitimate.”
Earlier this week, a Scottish MP revealed that 15 per cent of all nuisance calls are attempts to dupe vulnerable customers, based on research done by local authorities. Speaking at an adjournment debate in the House of Commons, Patricia Gibson, SNP MP for North Ayrshire and Arran, said: “It is yet another sign that the consumer has very little control over their personal data. Who knows where the data can land as they pass through hands that are not always scrupulous.”
And it is not just consumers who are hit hard by mishandled data. Morrisons is to be sued by 2000 of its employees after a disgruntled ex-employee leaked financial details of almost 10,000 former colleagues to news outlets and data sharing sites - fertile hunting ground for fraudsters. The actions of Andrew Skelton, who was jailed for eight years in July, will now lead to a group litigation order against the supermarket chain following a hearing at the High Court.
There have also been warnings about hoax callers posing as police officers after an elderly women in Stirling was conned out of a five-figure sum this month. Inspector Jim Young said the woman in her eighties had lost a “considerable amount of money” after being told by scammers pretending to be detective sergeants from London’s Metropolitan Police that her bank account had been hacked and she needed to transfer funds into another account.
Mr Kirk commented: “The best advice that can be given to anyone is to not follow instructions from anyone that you do not personally know over the telephone. If you are worried about your internet connection, hang up and call the official number given to you by your internet service provider. And under no circumstances give anyone your personal details over the phone, unless you initiated the call to a trusted party.”
Mr Taddeo, now chief security officer at Cryptzone, also advised people to take care when visiting websites, and steer clear of email attachments sent by strangers. “I would also recommend using long and complex passwords that can’t be easily guessed and changing them often.”