Cyber criminals want to hijack your computer for financial gain. But how does the scam work and how can you stop them?
Financial Fraud Action UK (FFA UK) has raised the alarm ovr a new style of telephone scam in which fraudsters impersonate major companies in order to take over computers and steal money from online bank accounts.
FFA UK, a body set up by the financial services industry to combat fraud, said criminals are using technology to take control of victims’ computers from remote locations, after
telephoning them and offering to help with a slow computer or Internet connection. The organisation has noted a recent increase in reports of this type of scam.
To carry out the fraud, scammers are impersonating internet service providers, computer companies, banks, software firms and law enforcement. They are also claiming to be calling as a result of recent high-profile data breaches.
The scammers claim there is a problem with the victim’s computer or internet service which is causing it to run slowly. They say they can fix it but need to access their computer to do so.
Victims are then asked either to visit a website or enter a command prompt on their computer, which gives the scammers control of the machine remotely. The fraudster will take some time to ‘fix’ the problem, in some cases as long as 30 or 40 minutes.
During the call, the scammer will either tell the victim they are entitled to compensation or pretend to put them through to a supervisor, who will make the offer. The scammer will say they are sending the money and will ask the victim to log into their bank account to check it has arrived.
But the criminals will still have access to the computer and will put up a fake screen which makes it appear the money has arrived. Working in the background, they will take money from the victim’s bank account. Alternatively, the scammers may transfer money between accounts to make it look like payment has been made.
The fraudster may also ask for a bank passcode sent by text message or generated by a card reader, claiming that this is required to process the refund. But this code will actually enable them to set up a new payee and take funds from the victim’s account.
In an alternative version of this scam, fraudsters may say the money has been sent but they have accidentally sent thousands of pounds, rather than hundreds, an error which will cost them their job. They will transfer money between the victim’s bank accounts to make it seem as if they have sent too much. In this case, the fraudster will ask for the difference to be refunded via wire transfer.
How can you ensure you and you and your business don’t fall victim to the scam? Here’s what security specialists had to say:
Katy Worobec, director of Financial Fraud Action UK, FFA UK
“Fraudsters are cunning and will go to great lengths to steal your cash. This scam is just another example of the tricks they will use. You should never let someone else have access to your computer remotely, especially if they have contacted you via an unsolicited phone call. If you are in doubt, then call the organisation back on a number you trust; if they are legitimate they will understand.
“Do not share your bank account details with anyone and make sure any computer you use to log onto your internet banking is secure.
“To avoid falling victim to this scam, you:
• Should be wary of unsolicited approaches by phone claiming to offer a refund
• Should avoid letting someone you do not know or trust have access to their computer,
• Should never log onto your internet bank while someone else has access to your computer
• Should not share one-time passcodes or card reader codes with anyone
• Should not disclose your 4-digit card PIN or your online banking password, even by tapping
them into the telephone keypad.”
Jonathan Sander, Lieberman Software
“This is an attack on what’s been one of the weakest links in cybersecurity, the human being. There are, of course, computer elements to this attack. But the real trick is fooling the human. The only possible defenses are to educate the human and also make sure no human has more access than they need.
“No one would let someone walk up to their car and allow them to take the keys and drive it around the block to test it, unless that person was clearly from the car company or a trusted party like their roadside assistance provider. What’s happening here is a person walks up, talks a bit of IT sounding rubbish, and the victim’s fear of being seen as ignorant of IT becomes the psychological level to make them comply.
“Organisations need to make sure employees know that no one will ever call out of the blue with requests like this. Or, if the organisation’s processes are so chaotic that someone might, they need to button that down to make things more clear for everyone.”
Kevin Epstein, Proofpoint
“Proving that the weakest links in security remain all of us, this scam which was previously confined to tricking Senior Citizens uses a phone call to leverage the same social engineering tactics that have been so successful persuading users to click email links and open attachments.
“Regardless of the source, the result is the same – users volunteering access to their systems – and this ongoing challenge reemphasizes the need for modern targeted attack protection and threat response systems. Security professionals need to protect users not only against attackers but against their own human tendencies.”