In our last enewsletter, we reported a conversation with Barclays Bank and how Email is not always a secure channel of communication and is increasingly targeted by fraudsters. Fraudsters are intercepting emails and tricking members of staff at organisations into making payments to their accounts.
An example of how the Email scam works
A fraudster will send an invoice or payment request to an organisation, pretending to be from a known supplier. The member of staff receiving the email, believing it to be genuine, will make the payment to the bank details provided. Fraudsters may also monitor email conversations between organisations and their customers/suppliers and inserting a fake email address when a payment or funds are being discussed. This can happen a result of malware being present on the computers or devices being used. This fake email can appear to be from one of the trusted parties in the email chain and will contain new bank account details for payments, which are controlled by the fraudsters.
We’ve more recently been made aware of a number of cases in which fraudsters are targeting staff at businesses with text and call scams designed to trick them into revealing their PINSentry security codes, or making payments to accounts they control, causing thousands of pounds in losses.
How the SMS scam works
Fraudsters send a text message, which appears to be from the bank about a fictitious payment, often asking the recipient to confirm whether a payment is genuine. Obviously it is not, but generates urgency to reply and resolve. The text advises to call a number, but this is not a number of the bank. Once called, a fraudster pretends to be the bank and may even have other information about the person or the business in an attempt to help convince them it’s genuine. They then ask the person for their PINSentry Security code to identify themselves, along with further generated security codes. Once shared with the fraudster, with these codes, they can use them to make payments from your account.
How the Call scam works
In another scam, fraudsters call people, pretending to be the bank, advising that their accounts or systems may have been compromised or that fraudulent activity has been seen on their account and that they need to move their money urgently to ensure it is safe. To falsely reassure the person, the fraudsters may ask them to call back, sometimes even quoting a genuine number of the bank. However, the fraudster doesn’t disconnect the line and as the person dials the number, they are in fact still on the line to the fraudster. The criminals will play a dial tone and an accomplice pretending to be from the bank will be waiting to speak to the caller. Fraudsters can also manipulate caller ID software so that it displays a genuine looking number in order to convince people a call is genuine. The victim may then be duped into disclosing PINSentry codes so that fraudsters can make payments but often the criminals will ask the victim themselves to make urgent payments to a safe account that has been set up for them. Again, this is an account operated by the fraudster.
Barclays encourage their customers to protect their organisation in a number of ways including:
- If you’re sent bank details by email, always confirm those details are correct by calling a known contact using details held on file
- Electronic payments in the UK use sort codes and account numbers only. Account names are not routinely checked, therefore it’s your responsibility to make sure the details used are correct each time. You should check even if the bank details come from within your own organisation, as these can also be intercepted by fraudsters
- Make sure everyone in your organisation is aware of this type of fraud, particularly those that make payments
- Keep your firewalls and security software updated, settings updates to auto where possible.
- Banks never ask you for your PINSentry or Security credentials, even if your account is at risk of fraud
- If you receive a call from someone saying they are from the bank, take their details and hang up.
- Where possible use a different line to return the call using an independently obtained number, such as the one on the back of your debit card or via the Mobile Banking app. Where you can’t use a different line call someone you know first to make sure the line is clear and then call Barclays.
- Follow the same steps when receiving a text that asks you to call Barclays
However, it is not just your bank the fraudster pretends to be when using these methods of communication.
We have received a number of reports about fraudsters posing as HMRC. There is currently a telephone scam where a recorded message is left, allegedly from HMRC, stating that HMRC are bringing a lawsuit against the individual and is going to sue them. The recipient is asked to phone 0161 8508494 or 02821788308 and press “1” or 101 to speak to the officer dealing with the case. One elderly lady has been asked to purchase gift cards and someone will collect them, another has been asked to buy iPhone vouchers. This scam is becoming widely reported and seems to be targeting older people. Please do not reply to the message.
HMRC takes security very seriously but you need to be alert. If you cannot verify the identity of the person making the call you should not disclose your personal details. To learn more about dealing with phishing and scams visit www.GOV.UK
These scams are very real. Think twice when receiving such communications and especially when payments are requested.