Spoofing - Do you know who you are really talking to?
One of the spoofing scams that regularly earns a great deal of money involves the fraudster ringing the victim pretending to be an official of some description.
This includes pretending to be a Police Officer, Lawyer, Banking Official and even a Doctor at an Accident & Emergency Unit. The purpose of the call is to convince the victim to authorise a payment to pay an invoice, or transfer their funds from an allegedly compromised account into a safe account etc. This is referred to as Authorised Push Payment (APP) Fraud.
The typical APP scam relating to bank accounts begins with a call from someone who advises you that they are calling from the fraud department at your bank. The number that appears on your phone is indeed the real number for your bank! They are able to quote your account number and a number of your recent legitimate purchases. They then ask if (for instance) you have bought a £2000 camera in Hong Kong or a luxury watch for £9000 in Dubai. The victim assures them they have not and the ‘bank employee’ advises them that their account has been hacked and they need to move fast to secure their money. They assure the victim that these two recent losses will be reimbursed by the bank if they move their money immediately in another account to which the bank has added additional security. Many victims agree immediately and transfer the balance of their account.
Those who question the legitimacy of the call are told to check the number they are calling from to verify they are indeed calling from their own bank. This is usually enough to satisfy most doubters, however, to remove any remaining suspicions, the fraudster suggests that the customer hangs up and ring the bank back themselves. If they do this, the fraudster does not hang up but keeps the line open and hands the phone over to an accomplice who ‘answers’ the new call and agrees to put them through to their fraud department. The customer believes they are now definitely speaking to their own bank. The customer then invariably transfers the money as instructed.
Whilst a call from ‘your bank’ is alarming enough – there are even more sinister and worrying variations on this scam. A particularly effective version goes something like this; Jane Hopkins is in her early 50’s, happily married with three grown-up children and living in a nice 4-bed semi in deepest suburbia. Their mortgage is small, and her husband is a sales rep for a national roofing company. He travels extensively around the midlands in a nice company car and is secretly planning a surprise party for their 30th wedding anniversary. Jane's mobile rings – her husband’s name appears on the screen.
Jane, ‘Don’t tell me – you have just had a brilliant idea and need to share it with me?
Fraudster, ‘Can I speak to Mrs Hopkins?’
Jane, ‘Who is this? Why are you ringing from my husband’s phone?’
Fraudster, ‘I’m Mr Richards a consultant surgeon at East Midlands General Hospital. I’m afraid I have bad news. Your husband has been involved in an accident and is very poorly. I’ve just left him connected to the life support system. I’m really sorry to have to break the news in this way’.
Jane, ‘Is he going to die?’
Fraudster, ‘I’m doing everything I can to save him, but I can’t promise anything.
Jane, ‘Tell me where you are, and I will leave now’.
Fraudster, ‘No, you can be more help to him from there.
Jane, ‘What do you mean?’
Fraudster, ‘As you know the NHS has had massive cuts and this has impacted heavily on the emergency treatment available. I need to insert a device into his heart to maximise his chances of survival. Unfortunately, these devices are made of a mixture of titanium and platinum and as a result cost a lot of money - more than the NHS will fund. Ordinarily this is only done privately and not in an emergency, however, the choice is yours’
Jane, ‘What do I have to do?’
Fraudster, ‘I’m happy to give my time for free but I’m afraid you need to pay for the cost of the device, which is £15,000, but it will massively increase your chance of having him back.
Jane, ‘I can pay that, how do I do it?’
Fraudster, ‘The supplier will not release the device to me without payment up front, so I need you to transfer the money directly to them as soon as I put the phone down. The sooner you do that, the sooner I can operate and the sooner he will be back home’.
Jane, ‘OK give me the details of the account I need to transfer the money to’.
Fraudster, Thank you, and let me assure you that you are doing the right thing. I’m sure you know that mobiles can’t be switched on in hospitals so I’m going to turn your husband’s phone off now and put it with the rest of his things. I will be in touch in a few hours to update you once the operation is completed.
If you think that Jane sounds gullible - think again. I’ve seen one particular guy take tens of thousands of pounds from dozens of victims by using a very similar script to this. Victims are shocked to their core; it’s the very phone call that everyone dreads. As a result, all rational thought goes out of the window and the decision is made using their heart rather than their head.
If a victim challenges the fraudster, the fraudster becomes indignant ‘Use your common sense, I’m ringing you from your husband’s phone. I took it out of his blood-soaked jacket. How else do you think I got your number’ Nine times out of ten, this convinces the most doubting of victims.
An even more ruthless approach involves the fraudster pretending to be a supply teacher at their children’s school and informing the victim (via their child’s mobile phone or even the school landline number) that their child has had a seizure in the playground. A blood vessel has burst in their brain and the surgeon needs to speak to them. The phone is then handed over to an accomplice who plays the role of the surgeon. The conversation is then much the same as the first example.
I knew a married couple with children of their own who have regularly practised the supply teacher/surgeon scam. Having scammed someone and undoubtedly scared the living daylights out of them, they then go outside and play with their own children or take them to some after -school activity. Even to me, these people are a breed apart.
Another variation on the same theme is the spoofing of an email address. Imagine this, it’s 630pm and you have just got in from work; your mobile pings to alert you that you have an email. You are starving and really can’t be bothered to do anything other than eat, however, a cursory glance at the screen changes that. You see the email headline ‘Urgent - not a scam!’ and you open it up.
The email is from your brother and from his regular email address. You have already received an email from him with a picture of him standing outside of an airport with a rucksack on his back and an inane grin on his face. You replied to him telling him not to forget you when he passes back through Duty Free in 3 weeks’ time. That was the last time you heard from him.
You know that your brother is currently on holiday in Turkey, and it transpires that he is now in dire trouble. He has been kidnapped by a gang who are sympathetic to ISIS. They intend to hand him over to them in order that they can hold him hostage unless you pay them first. They want £10,000 paid to an account (details provided) by 9pm UK time. If the money is not received, he will be handed over and they will have no further control of what happens to him.
• You know the email is from your brother’s personal email address
• You know he is on holiday in Turkey
• You know he got there safely from the photograph he sent you
• You know he shuns hotels and prefers to stay in local guest houses etc
• You know that Turkey borders Syria
• You know he has a short temper and is likely to upset his captors sooner than later
• You know you have enough funds to pay the £10,000
• You know you would never forgive yourself if it all went horribly wrong because you hadn’t paid
You then get a text from his mobile phone ‘I’m in deep trouble. Read your emails urgently. I promise to pay back every penny but PLEASE help. If you don’t pay, I’m going to die’ You try his mobile phone but there is no reply. You transfer the £10,000.
Spoofing the telephone number and email address is simple using proprietary software. They simply select the number/email address they want to appear, on your device and they are in business - and you are about to be out of pocket.
Clearly, there has to be a starting point for these scams, i.e., how do they know who is going on holiday? to where? and when? I’m sure you will not be surprised to hear that social media sites provide rich pickings. There are groups of researchers who do nothing more than harvest ‘useful’ information (useful to fraudsters that is) and sell it on. You can legitimately buy lists of holidaymakers from market research companies and information resellers! As long as people need to evidence their lifestyle on social media, there will be no shortage of victims waiting to be scammed.
A little advice to keep you safe.
- Be suspicious. If someone from your bank rings you (which is very unlikely) treat them with suspicion. Listen to what they have to say and tell them that you will ring them back. Ring your bank back from a different phone – this prevents them keeping the line open to fool into believing that you are making a fresh call to verify who they are.
- Do NOT click on any links or QR codes contained within a text message or email sent by those attempting to assist you. Clicking on them can install malware on your device that will give fraudsters access to your emails, banking, passwords, and everything else!
- Do not panic. The fraudster’s intention in making those calls about your loved one being injured or in danger, is to encourage you to make instant decisions with your heart – rather than your head.
- Speak to a friend or neighbour and get a reality check on what you have been told. Getting an objective opinion from someone who is not emotionally involved can be incredibly useful.
- Do not accept what you are told as being the truth. If the call appears to come from a loved one’s phone, ring them back on the number stored in your phone. The fraudster is relying upon the fact that you will drop your defences in a state of shock and follow their instructions without question – and (unfortunately) this is how they steal your money.
- Check your security settings on your social media accounts to ensure that only those you want to find out about you can do so. Even better still, stay off them altogether!
In a nutshell
A - Accept nothing
B - Believe nobody
C - Check everything
D - Don't click on any links or scan a QR Code