It is a few years ago now and some of the people concerned caught and prosecuted, so here is a story about identity theft and fraud which happened to me. It is a long story, so bear with me. I think it will frighten you and has the advantage of being true.
How it all started
For a few weeks a number of odd things had happened. I received two new bank cards and a new PIN which I hadn’t asked for. I’d also some couple of telephone calls which
just cut off and one apparently from the bank - they put the phone down when my
wife answered. Then, late on a Friday
afternoon, I had a call, again purporting to be from the bank, which made me
very suspicious. They clearly had some
details about me and about the new card I’d requested (I hadn’t), so, just to be
on the safe side, I called the bank and asked for a stop on all my cards. Luckily, as it turns out, I got a confirmatory
text from the bank almost immediately and I kept a screenshot of that as well. The bank asked me to call in on Monday (the
local branch was closed on Saturday) and arrange for a new card.
Something odd also happened over the weekend which I didn’t
think too much about at the time – my mobile phone stopped working. All it meant was two calls to make on the Monday
before work – first to the bank then to the phone company.
Waited half an hour (of course) to see somebody in the bank
as I didn’t have an appointment. But, it
was important: I wanted a new working
bank card. Eventually I saw a member of staff, who checked my passport and
address ID, then told me that I had already gone into another branch in North
London (I live in South London) on Saturday (hello, what’s happening here?) and
had the cards re-activated or new cards issued, I never found out exactly which.
Large alarm bells ringing, now. They checked my main account – lots of large
transactions for jewellery from West End stores had been made over the weekend.
But, said the staff member, after a few internal
telephone calls, we checked with you over the telephone because they were such
large transactions and you confirmed it was all OK. (Now I think I understand why my mobile
stopped working).
Put a stop on everything again, I said, and I’ll be back. Off to the phone shop now. After a lot of checking they told me that I had gone in to a branch on
Saturday and convinced them that my phone was lost and I needed a new phone and
SIM on my old number. That so explained that. Very worried now, I went back to the bank. There was clearly some very good social engineering
going on here coupled with, I could only assume, fake ID in my name. “No problem”, said the bank, “call in on
Wednesday and we’ll have a member of our fraud team here to work it out”.
“It’s all sorted out”
Two anxious days later, I called into the bank. No fraud team there. “It’s all sorted out,” they said, “Your wife
called and explained that she had made the transactions on your card.” What?
We have separate accounts and she is not a signatory to my account. Plus the fact that you put a stop on the cards
and you told me on Monday that I had been shopping. “Did you give her your PIN?”, they said. “No I did not. Nor did she go into the West End on Saturday.” My wife, when I told her, was outraged. Not only had I been impersonated in person,
she had now been impersonated on the phone!
Whilst in the bank, we looked at my accounts again. Since the bank had unlocked my account again, my current account had now been entirely cleared out. Money had also been transferred from my other accounts into my current account and taken out of that. Worse (if it can get worse) they had got into two other community accounts with which I was associated and withdrawing money from there by transferring that into my current account. On one of those accounts, I had read only access and was not a signatory; on the other I was a signatory but only jointly with a second party and telephone/online banking had not been implemented. I still do not know how this was done … but it was.
Now I had no bank cards and no cash, and some difficult
explanatory calls to make. One of the
two community organisations had wages to pay and no money now either; so I
borrowed some money to re-imburse them, allowing them to do that, and a bit
more for myself. And then settled down
to three months of letters, meetings, and statements to the police.
Why me?
The bank eventually refunded everything – we were talking
six figure sums – they really didn’t have much of a defence having clearly been
conned into disobeying my stop instructions twice. However an additional £50 compensation for the
weeks of inconvenience caused was just a little bit mean.
Some time after it was all over, the police came back and
took another statement as they had (I think from what they implied) tracked the
gang down. I learnt a bit more about the
methods involved. It looks as if, a while
before it all started, my card was cloned: I think I can now guess where. After various attempts to get my PIN (hence
the duplicate cards and the telephone calls) they decided on the fake identity
route.
“Why me?“ I asked the police. Apparently professional people, particularly
if also company directors, are good targets.
They are likely to be moderately wealthy and therefore worth putting in
a bit of effort for and there is likely to be quite a bit of information about
them on line. If your name is “John
Smith”, you are probably safe as it is difficult to identify which John Smith
you might be simply from the name on the card – but if you have an unusual name
(and Malcolm Bacchus is an unusual name) it is much easier for fraudsters to
find out sufficient information about you to produce at least some credible
faked documentation.
What lessons were there?
So that it’s it.
Clearly it is impossible for an individual to prevent fraud on their bank
accounts when the bank’s processes are at fault and I am assured by the bank
that their processes are tighter now than when this happened. Companies House too have stopped putting your
full date of birth for all to see. But what can one learn from this? Obviously there are the all normal things such
as not giving out your PIN, not writing passwords down, being alert for suspicious
telephone calls and not clicking on any unknown links on your computer, but I
was fine on all of these and still got caught.
So here are my additional take-aways from the story:
- Split your funds across accounts with more than one bank
- If possible, don’t allow your bank to associate the various accounts you might have access to on their system in one place – it’s good for them but good for fraudsters too
- Again, if possible, and most of the time it isn’t, be careful about who you give copies of your ID to (everybody asks for them these days and whether they store them safely is anybody’s guess)
- Use invented answers to the security questions on all websites – not your real first school or first pet (it didn’t happen in my case as far as I am aware, but I was warned that fraudsters are good at extracting that sort of information by social engineering
- For the same reason, don’t use the same answers or the same passwords on multiple sites
- Investigate anything odd on your account as soon as it happens: don’t assume it is a mistake
- Keep documentation on every contact with your bank, even if it was a short telephone call.
And what to do if it happens to you...
Obviously, always contact the bank as soon as you are suspicious.
If you are an ICAEW accountant you can get guidance for you or your clients on the New ICAEW Fraud Advisory Helpline on 01908 248 250; if you are a business speak to your accountant; and, whether it was you or your business affected, always report the fraud to ActionFraud at actionfraud.police.uk or
0300 123 2040 (England and Wales only – otherwise your local fraud prevention organisation or the police).
If you are an accountant you might also have to report on a
SAT to the National Crime Agency and, as a business or accountant, for cyber
crime, to the Information Commissioner’s office.
No comments:
Post a Comment