Auction websites where criminal gangs trade your bank details for £23
A chilling insight into what happens when your personal details are stolen
THE ordeal suffered by robert and Susan turner is a terrible portent for talktalk customers whose data was stolen in last week’s cyber attack.
For a year, the turners lived a nightmare. every evening their phones would start ringing at 25-minute intervals.
On the other end of a crackly line, they heard a voice that seemed to be coming from thousands of miles away, often claiming to be from telecoms firm talktalk.
‘You’ve got a problem with your broadband,’ the caller would often say.
On other evenings, the caller would try to get them to buy something, or sign up for a new contract — anything to get them to hand over their credit card details.
Mercifully, the turners were never duped into falling for these scams. But the disruption to their lives became almost unbearable. they tried everything — from changing their number to signing up to call-barring services — but nothing made the calls stop. they say they begged talktalk for help tackling the cold- callers, but each time they were fobbed off. the turners have not lost any money, but that is only through their own diligence.
the couple continued to answer the phone because they did not want to miss calls from robert’s elderly father. Susan, 46, from Boston, Lincolnshire, says: ‘It caused me a huge amount of worry and at times it was quite scary. the calls would continue late into the evening and sometimes they would be quite aggressive.’
robert and Susan were talktalk customers until May, so they aren’t victims of the latest fraud. However, they believe they had their personal details stolen on one of two previous occasions the firm was hacked by cyber criminals.
the calls started after they called talktalk to report a problem with their internet.
the following night the scammers — posing as talktalk technicians — called to say that the fault had not been fixed and tried to get them to pay an upfront fee by handing over their card details.
they switched to a different network in May and the calls stopped. But they recently started again, and the turners believe the fraudsters still have their details.
Internet fraud in Britain has reached a terrifying high, and, on occasions, it seems as though the police are powerless to curb it.
there were 5.1 million incidents of fraud in the past 12 months, according to the Office for national Statistics. And it is feared millions of other cases go unreported.
So how are these internet fraudsters getting hold of your personal data? And how are they using it?
SPY VIRUSES THAT STEAL YOUR DETAILS
Internet criminals thrive on your personal data. there are two parts to modern-day scams: obtaining your details, and ‘the cashout’ — turning your information into money.
no matter how careful you are, hackers and conmen are finding new ways to glean your personal details.
their methods can appear innocuous — such as getting you to enter a free competition or lottery, or registering for a special offer.
this can give them your name, address, age, phone number and email address.
It’s only a start, though. From here, the tricks get more sophisticated.
One scam involves collecting card details by skimming the details off it using a fake cash machine or card terminal in a shop.
Banks and shops have done a lot to crack down on this, so a new ploy is to send emails that give every impression of being from your bank or another big firm. It will include the firm’s logo, address and contact details.
On the face of it, this looks genuine — but click on a link in the email and a hidden computer virus can be sent to your computer. You’ll never even know it has happened.
the virus will be implanted in a little-known part of your computer’s operating system where it will work its way through the files to pick out important information.
Alternatively, it can sit there secretly and wait until you visit a bank website, where it will monitor which buttons you press. All these details will then be sent back to the computer hacker.
Another scam is where conmen lure you into entering your bank details on a form. this could be done by copying your bank’s website, or that of HM revenue & Customs, so you’re fooled into thinking you’re using a genuine internet page and could give them your bank or card details.
And if the information they have obtained is not enough for the conmen to exploit, they will scour the internet to find out more about you.
Some of these scams can be quite elaborate, so, increasingly, fraudsters will try to hack into the computer systems of major companies and search for where customer data is kept. this allows them to access thousands — or even millions — of files at once.
Sometimes, unscrupulous employees are to blame. there has been a startling rise in the number of company insiders stealing data to sell on to third parties.
According to fraud monitoring organisation Cifas, there was an 18 pc increase last year in the number of frauds committed by insiders working for businesses.
Once fraudsters have a little bit of information, they can then piece your details together like a jigsaw.
For instance, if they know what bank you’re with, they can trawl for other information about you from social networking sites — Facebook, for example, which might give your date of birth, where you live or your phone number. And a professional networking site such as LinkedIn might reveal your employer.
THE ‘eBAY’ FOR CYBER CRIMINALS
OCCASIONALLY, hackers will use the information they have acquired to commit a fraud themselves.
What is more common is that they sell your details for a fee on one of the booming underground marketplaces on a hidden part of the internet, known as the Dark Web.
the Dark Web can be reached only by using special computer software. this allows the user to hide their identity and means those behind the sites can keep their details hidden and stay free from prosecution.
Websites based in russia and other former countries of the Soviet Union are home to dozens of markets where stolen details are traded.
these locations are particularly popular because they allow crooks to operate relatively unimpeded by the authorities. russian police have little interest in the trade in Westerners’ bank details.
Sellers on the Dark Web markets use a jargon to hawk their wares. For instance, a ‘CVV’ is the full details of an individual card. this includes the owner’s name, address, bank and the three- digit security number (also confusingly known as a CVV) from the back of the card.
‘Dumps’ refers to information from lots of credit cards which has been dumped into one file. A ‘base’ is a collection of dumps from the same place, such as a company database that has been hacked.
Hackers like to give these bundles of information names, for example,
some have recently been nicknamed ‘Ronald Reagan’ and ‘Beaver Cage’.
A ‘dump’ may be enough to commit a few frauds at an online store, but a ‘Fullz’ would allow someone’s identity to be pinched. These are the full details of an individual — and as well as personal details and card number include National Insurance details or their equivalent.
The rewards for purchasing this information can be huge. Credit card details of UK customers are currently sold for £6 and full information for around £23, but allow fraudsters to steal thousands from accounts.
It's also possible to buy a host of other information, including phone numbers and passports.
Over time these marketplaces have become more sophisticated and there is hot competition between them. Some now resemble respectable internet auction sites.
And like the chief executives of legitimate companies, the owners of these marketplaces carry out public relations exercises to woo new customers to their website rather than that of a rival.
In one recent interview, the boss of marketplace Deepdotweb, hiding behind an anonymous user name, described how easy his site was to use and the quality of products on offer.
Just as on eBay, buyers are able to filter out goods for sale by country and type of product — in this case, credit card details.
Users add the items they want to buy to a shopping trolley. But instead of using a credit card, they pay with virtual currencies, such as Bitcoin. These are tokens which can be traded online instead of using real money, which can be traced.
TURNINGT YOUR DATAD INTO CASH
ONCE the criminals have obtained your information, it is time for ‘the cashout’ — turning your details into profit.
To do this, the scam artists may need to set up a ‘mule account’: a second account which stolen money can be transferred into. Then it’s time to commit the fraud.
These can often happen months or even years after your information was originally stolen — and that is what makes you more vulnerable.
If you’ve forgotten that you were once worried your personal details had been compromised, you’re more likely to have your guard down.
Siraj Shaikh, a reader in Cyber Security at Coventry University, says: ‘Customers’ information can be on the internet for years. To some extent, it never goes away, especially because so few people do things like change their bank accounts.
‘There is no limit to these criminals’ creativity. With just a few details they can wreak havoc, destroy lives and con you out of thousands of pounds.’
A growing crime is vishing, in which a fraudster will ring claiming to be from your bank or the police. They’ll often have basic information, such as which bank you are with and some card details.
The conmen may advise you to call them back using the number printed on your bank card.
But in a clever ruse, the fraudster stays on the line even though you think you’ve both hung up. So when you think you’ve called the bank, you’re actually just speaking to the fraudster again.
The victim is then convinced that the call is genuine and will be more likely to agree to a request that they transfer their cash.
Alternatively, the crooks may pretend to be from your internet provider. In a number of cases seen by Money Mail, TalkTalk customers have been contacted over the phone by cold-callers, who claim to be representatives of the phone giant.
Allan Jones, a retired insurance administration worker from Preston, came close to becoming victim to a sophisticated scam.
He was contacted out of the blue by a man called Charlie, who claimed to be from TalkTalk. Charlie told Allan that there was a problem with his broadband router and passed him to a colleague called Ryan.
Ryan said that Allan’s computer had been hacked and gave him instructions so he could see the extent of the fraud.
Allan was suspicious, but as he was a long-standing TalkTalk customer he decided to go along with it.
Each time, Allan followed the instructions, a new page appeared on his computer screen.
Then, on the final screen, a message appeared in capital letters which offered Allan £200 compensation for the inconvenience caused.
A list of banks also appeared on Allan’s screen so he clicked on the symbol for his one. A login screen popped up and the caller told Allan to enter his bank details.
At this point Allan grew suspicious and refused to do so. Immediately the line went dead.
Allan says: ‘I am in no doubt I am a victim of a TalkTalk data breach.
‘I consider myself to be computersavvy and thought there would be no way I would be caught out by a scam. But this was a close call and very, very believable.’
HOW TO KEEP YOURSELF SAFE
THE golden rule is to hang up on cold- callers and never give bank details out over the phone.
Take a note of the name and department of anyone who contacts you and asks for financial details.
Always wait at least ten minutes before returning a call, or use a separate phone to try and contact the bank or company yourself.
If you have a computer, make sure it has proper anti-virus software that it is regularly renewed.
If someone contacts you over the phone offering to check your computer for viruses, decline their services. They are likely to be conmen.
Make sure your email passwords are secure and long.
It’s a pain in the neck but don’t use the same password for everything. It is OK to write down passwords, provided you keep them in a locked drawer at home.
Don’t reply to emails from your bank.
Don’t trust that the name in the subject line of an email is actually who it is from.
Spelling mistakes and clumsily constructed sentences are another tell-tale sign that all is not as it seems, although just because something is well-written and literate doesn’t mean it’s genuine.
Try not to divulge sensitive details online when using public internet connections.
Monitor bank statements for unusual transactions and check your credit file. These are held by Experian, Equifax and Callcredit.
Look for a padlock in your browser window or https:// at the beginning of a web address before entering sensitive information. These indicate a secure website.