You may have seen the recent press coverage surrounding people who have fallen victim to fraud; Ofcom’s recently published research – almost 45 million cases – during summer 2021 alone!
You never think that it will be you. As someone, who would like to think that they are well versed when it comes to spotting a phishing link, I was surprised, to find pending transactions on my account with purchases that I had not made.
Ultimately there is the inevitable wave of panic. Trying to rationalise what has happened – going back through my previous purchases just to check that there had not been a mistake made. Then going through my phone and checking websites that I have used; emails I have received as well as text messages.
It was here that I realised my mistake. I had received a text message from my mobile service provider, asking me to update my payment details. Typically, this type of message about changing payment information would fly red flags. However, this text came through under my previous legitimate SMS chain, seemingly under the same number with my provider. Therefore, I clicked the link in the message, proceeding to resubmit my personal details. At the time, although cautious the link seemed to work legitimately. Despite this, I set a reminder to call my provider on Monday morning in order to double check that the details had been received correctly.
Unfortunately, I had fallen for a scam…
If it were you, you see a message from your service provider, asking for an update of information – from a SMS chain, which had been used before – what would you do? Would you hesitate or stop to think whether the message was indeed genuinely from the provider?
I received the ‘pending transaction’ alert from my banking app, I tried to report the pending transactions, however, it was still unclear as to the next steps. I received a call from a ‘no caller ID’ number, which naively, I answered. It sounded legitimate, they seemed to be telling me all of the things that I wanted to hear, but nonetheless I still couldn’t shake the feeling that I was being scammed for a second time. I eventually put the phone down mid conversation in order to ring my bank directly, after researching online my banking guidelines for such situations.
The advice from NCSC in such a situation is to: ‘Go back to something you can trust. Visit the official website, log in to your account, or phone their advertised phone number. Don’t use the links or contact details in the message you have been sent or given over the phone.’ (https://www.ncsc.gov.uk/guidance/suspicious-email-actions). This advice, published on the NCSC website offers guidance to both those affected by scam artists as well as acting as a prevention.
Thankfully, calling the number my bank advised for dealing with fraud, they had already flagged my account for some unknown purchases and therefore, they were aware of the situation prior to my call. While the unexplained ‘no caller ID’ is believed to have been my bank however, even they were unclear if this had been the case due to the nature of the call and the messages that I had received seemingly from them.
The legitimate call with the bank helped me to arrange voice ID on my banking transaction to ensure that this did not happen again. They equally transferred me to an additional line, to speak to the right department in order to. I would encourage everyone to take the time to set up voice recognition with their bank in order to aid the prevention of situations like this from happening.
After which, I was transferred to my bank’s fraud department who took me through some basic questions such as:
- When was YOUR last transaction and for how much?
- Has anyone had access to your card or bank details, this could be a family member or a carer,
- Are you still in possession of your card?
- Do you use Apple Pay?
- Which devices do you use Apple Pay on?
While there were many other questions asked in order to gauge the situation, these were a few of the most memorable. What struck me as interesting was the fact that the questions were asked about Apple Pay, the platform while popular and typically very secure ‘Apple Pay is a very secure way to make payments. This is because your card numbers are not stored on your device, and are never shared by Apple Pay, or sent with your payment. Instead, Apple Pay gives you a unique Device Account Number, that’s encrypted and stored in a secure part of your iPhone, iPad or Apple Watch. So, when you use Apple Pay, your Device Account Number and a specially created security code are used to process your payment.’ (https://www.barclaycard.co.uk/personal/help/contactless-payments/secure-applePay) As it turns out there had been a separate account set up using my personal details, with the code mentioned above.
While on the phone the bank informed me that over the weekend, there had been tens of thousands of reports of phishing from mobile phone providers – this specific attack was on Apple iPhone users. This is because when the fraudulent messages were sent, they were automatically filtered into what seemed legitimate messages from providers. Hence, many, including myself, believed that the link circulated was genuine.
Thankfully I had caught the transactions early and my bank will be able to refund me the money that had been taken while also closing down the Apple Pay account that had been created using my details. Additionally, I will be sent a new card, with new banking details as well as being instructed to carefully watch my account over the next few days – reporting any changes to my account. Alongside this I was sent some useful advice for the future.
This was resolved mainly because I had my pending transactions set up on my account to receive a notification whenever my transactions were being processed. This means that whenever money is ____ my account I am ‘pinged’ with a notification and made aware regarding any payments in my account. I would strongly recommend to anyone who does not check their bank frequently to ensure that such notifications have been set up – otherwise for me, there may have been a very different outcome to this experience.
Lessons to be learned:
- People should be aware that phishing is becoming more and more evolved, exacerbated by the pandemic. While this seems like the obvious warning, estimates from the Telephone-operated Crime Survey for England and Wales (‘TCSEW’) showed that there were 4.6 million fraud offences in the year ending March 2021, a 24% increase compared with the year ending March 2019 (https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/bulletins/crimeinenglandandwales/yearendingmarch2021). Demonstrating that despite advice given out, people are still being ‘scammed’.
- Apple users need to be more cautious when receiving unexpected messages – since messages can be auto filled into seemingly legitimate contact numbers, already on your phone. In my experience this came in the form of my mobile service provider. To prevent this from happening Apple have produced an update where you can filter and block unknown messages (to find out more https://support.apple.com/en-gb/guide/iphone/iph203ab0be4/ios) which may help people avoid possible phishing messages.
- People should be aware of the guidance given out in order for it to act as a prevention first (https://www.ncsc.gov.uk/guidance/suspicious-email-actions).