Fraudsters are using new tactics to plunder people’s bank accounts. They include social engineering and computer takeover fraud.
When David Couldwell received a call on his landline from a BT engineer explaining that his internet router had been hacked and urgent security tests were needed, he was only too willing to help.
But unbeknown to David, the call was not from BT. It was from a fraudster who, by taking control of his computer remotely, removed almost £7,800 from his bank and saving accounts with NatWest.
Ring of truth: David Couldwell fell for the elaborate hoax
The fraud David suffered is the new game in town. Such ‘computer takeovers’ are increasingly used by criminals developing new ways of emptying victims’ bank accounts. Last year, we reported on a near identical case involving financial adviser Joanna Coull, who was also scammed out of £7,800.
According to the latest data on banking fraud from trade body UK Finance, last year £121 million was removed from customers’ accounts by criminals who had gained unauthorised online access. This is a 19 per cent increase on the year before and more than double the figure five years ago.
By contrast fraud losses overall are falling, according to UK Finance, with banks and card companies preventing £2 in every £3 of attempted unauthorised fraud.
The report says that computer takeovers often result from criminals using ‘social engineering’ tactics to deceive and manipulate people into divulging key details.
The ‘manipulation’ stems from the criminal purporting to be from a trusted organisation, such as a person’s bank, the police, a government department or utility firm. In many cases, they ring claiming there has been suspicious activity on the victim’s bank account or there is an internet problem that needs fixing.
For the ‘problem’ to be resolved, the victim is asked for more details. This allows them to be tricked into giving away sufficient information for the criminals to gain remote access to their bank account and steal money.
For David Couldwell, the ‘trusted’ company was BT. Late last month, the 73-year-old was at home in Norfolk and took a call from a man claiming to be from the telecoms giant. The individual said the internet router which David and his wife Brenda use had been hacked and that he needed to carry out urgent tests. David, a retired computer manager, agreed and was reassured by the fact the caller proceeded to get the router to flash. But the fraudster had only just begun. He then asked if he could have access to David’s computer to ensure no hacker had managed to log into it.
Tactics: Our story last year about how Joanna Coull was scammed
It was then the caller said David would receive £500 by way of a thank you for the inconvenience caused. The call was transferred to ‘BT’s accounts department’ so it could effect the payment.
David was asked to provide his account details and then instructed to log in to his NatWest account to check the money had gone in. When he looked he found that £5,000 – not £500 – had been deposited. He was asked to refund the overpayment – to Wells Fargo Bank in San Francisco. When he queried this, he was told BT was a global firm and had accounts worldwide.
By this stage, the fraudsters had taken control of his account – not just the main one but three others – including an Isa – that he either held in his own name or jointly with Brenda. The £5,000 was not a ‘deposit’ but money moved by the criminals from the other accounts to look as if it were a fresh credit.
By the time David discovered this and alerted NatWest to the fraud, it was too late. The criminals had extracted £7,767 from his accounts.
In the shadows: Last year £121m was removed from customers’ accounts by criminals who had gained unauthorised online access
Initially, NatWest told David he would not get a full refund, holding him partly culpable. But last week it backtracked after The Mail on Sunday’s intervention and agreed to refund the full loss.
David is grateful. He says: ‘I am sure we would have had a long battle getting our money back had it not been for The Mail on Sunday. Maybe I should not have allowed myself to be tricked, but at the time I was convinced I was dealing with bona fide BT employees.’
He says the criminals tried the same scam on both his neighbours but failed.
On Friday, NatWest said: ‘We appreciate this has been a distressing experience for the Couldwells. We take our responsibilities seriously in preventing fraud and remind customers to remain vigilant against scams.’
It added: ‘Customers should never give anyone remote access to their computer and not divulge security details to someone over the phone. They should decline and report it to their bank immediately on a phone number they can trust.’
Katy Worobec, at UK Finance, said: ‘Criminals have become adept at impersonating legitimate organisations such as banks and utility companies to trick people into giving away their bank details.
‘Never let someone else have access to your computer remotely, especially if they have contacted you via an unsolicited phone call.’
BT said it was working with law enforcement agencies to bring fraudsters to justice.
WISE UP TO WAYS OF FOILING THE CYBER ATTACKERS
- Be extremely wary of unsolicited approaches by phone, especially people claiming to offer refunds.
- Avoid letting someone you do not know have access to your computer, especially remotely.
- Do not log on to your bank account while someone else has remote control of your computer.
- Do not share passcodes or card reader codes with anyone.
- Do not share your Pin or online banking password, even by tapping them into a telephone keypad.
- Further details on how to combat financial fraud can be obtained from the ‘Take 5 – To Stop Fraud’ pages of the website of trade body UK Finance, available at: takefive-stopfraud.org.uk