Latest way for crooks to steal your savings: Hijacking your phone
Fraudsters divert your texts and calls to their own mobiles
TeXT messages sent by banks to customers are being intercepted by fraudsters, Money Mail can reveal. In the ruse, scammers are hijacking customers’ mobile phones and diverting all calls and texts to their own handset.
The crooks then use information in these messages to steal vast sums from account holders. victims are left in the dark until they realise their accounts have been emptied.
The shocking findings come as part of a major Money Mail investigation into fraud on Santander accounts. They call into question whether it is safe for Santander and other banks to use text messages to confirm payments.
Over the past month we have told how Santander is fobbing off fraud victims who have lost their life savings this way.
Typically, fraudsters have been able to transfer money out of customers’ accounts by hacking into their online banking or taking control of their computers to obtain passcodes required to authorise payments.
In most cases, the bank blamed customers for handing over codes, sent by text to their registered mobile phones. But we have found crooks are getting hold of the codes without customers’ knowledge (see box, right).
Once they have diverted texts to their own phones, criminals hack into their victims’ computers or accounts to make transactions.
Santander continues to insist it is safe to use texts to confirm payments are genuine. It says other banks are being hit by exactly the same type of scam.
Yet in the U.S., the financial regulators have warned text messages are not secure enough.
And most of Britain’s big banks, including HSBC, Barclays and NatWest, use safer methods of authorising payments. Additional checks, such as having to enter additional passwords or putting a debit card into a hand-held card reader, are carried out.
HOWever, Santander is among a small number of banks, such as Lloyds, Halifax, Tesco Bank, TSB and Metro Bank, which rely on phone calls and texts to check online payments are genuine.
There have been reports suggesting a Halifax customer has had their mobile hijacked.
Martin Alderson, chief executive of Codified Security, which tests mobile app security, says: ‘Text messages are not secure and should not be used by banks to confirm payments. The UK should follow the lead of the U.S. government in warning of these risks.’
Ann Dunn, 62, from London, lost £22,300 when fraudsters raided her account. The money was a redundancy payment, which was meant to tide her over until she could draw her pension. But for months Santander blamed Ann and refused a refund.
She’d had a fake text message saying there was suspicious activity on her account. When she called the number in the text, the crook claimed to be from Santander’s fraud team and tricked her into letting him access her laptop remotely.
He also hacked into her ee mobile phone account online and got all her calls and texts sent to his handset. He used the One Time Passcodes Santander sent in texts to empty her account.
The bank sent letters insisting Ann was at fault, but repaid the cash after she called Money Mail.
ee says as part of its fraud prevention checks it sent Ann a PIN to complete the swap.
‘I’m normally a strong person, but I’ve lost all my self-esteem,’ says Ann. Santander says it has apologised to her.
David and Margaret Farnworth, aged 66 and 67, had £19,500 drained from their Santander accounts after criminals intercepted the bank’s text messages.
The fraudsters called Tesco Mobile, the couple’s phone provider, posing as Margaret.
AFTer 13 attempts to get through security, they had all calls and texts diverted to a new phone. even after the fraud came to light, Tesco billed Margaret for the gangs’ calls.
The couple, from east Lancashire, also received threatening phone calls from the gang.
They were visiting Holland when fraudsters struck. They lost mobile signal, but thought it was an issue with calling from abroad.
David, a retired food standards consultant, says: ‘I’ve been to the police, but they’re not interested.’
Santander issued a refund within 24 hours.
A Tesco spokeswoman says: ‘Further steps have been introduced to our security procedure to prevent incidents of this kind.’
Money Mail has heard from other Santander fraud victims who say they did not enter the text message codes.
A spokesman for the bank says: ‘Santander does not rely solely on SMS messages for fraud prevention. If a customer is a victim of sim-swap fraud, we refund the money lost in accordance with payment services regulations.
‘Santander sees similar levels of fraud to the rest of the industry. We invest not only in processes and systems to detect and prevent fraud, but also in education programmes to help customers understand the importance of protecting and maintaining the confidentiality of their data.’
A Halifax spokeswoman says: ‘We have sophisticated methods in place to check for sim-swapping and call forwarding, and work with network providers on this.’