Crooks can nick Brits' identities just by picking up the phone and lying

No 133t hax0ring needed to hijack accounts, warns fraud watchdog's report


Identity crimes remain among the greatest threats to UK businesses online.

The offences made up three in five (60 per cent) of all fraud recorded by Cifas, the UK's leading fraud prevention service. Cifas' annual report, published Wednesday, collates statistics from 325,092 instances of fraud recorded in 2016. These internal and external cases represent a modest increase from the 321,092 recorded in 2015.

Facility or account takeover sharply increased last year. A facility takeover happens when a fraudster poses as a genuine customer, gains control of an existing account and uses it for their own ends – such as making transactions or ordering new products. Any account can be hijacked by fraudsters, including online banking, credit cards, telephone, email and other services.

Facility takeovers increased by 45 per cent from 15,497 in 2015 to 22,525 in 2016. More than half of these takeovers were enabled over the phone, typically through call centre staff.

The vast majority (88 per cent) of identity frauds were committed online, as were 30 per cent of facility takeovers. To pull off account takeovers crooks must first have obtained enough of their victim's personal and security information (date of birth, address, details of bank or other accounts, and sometimes passwords) to fool call centre staff. Data breaches, social media footprints and other open-source information can help facilitate this process. Often fraudsters need to approach their intended mark to get enough information, according to Cifas.

Cifas reckons the growing tactic of contacting call centre staff prior to attempting account takeover is, at least in part, a displacement effect. As online access to accounts is locked down with better authentication technologies, fraudsters are switching tactics in response.

Cifas chief executive Simon Dukes said: "Working together, organisations prevented £1 billion worth of fraud last year, but we know that as one method gets harder, fraudsters change tactic rather than stop. We are now seeing that the advances made in securing online access to customer accounts have led to fraudsters targeting the human being at the end of the phone.

"Using old-fashioned but highly effective con artistry, they are tricking individuals into giving away their personal details and deceiving call centre staff into making transactions on their victims' accounts. The proliferation of personal data that is available either online or through data breaches only makes this easier."

Cifas is pushing education as a means to help both call centre staff and targets to stay ahead of fraudsters. The service asks that the next UK government prioritises tackling fraud by putting fraud education in the national curriculum so kids get schooled on security practices early in life as well as making fraud prevention a "strategic priority for UK policing". In addition, the post-election government should run a comprehensive review of the sentencing guidelines for fraud. ®

Broader topics

Narrower topics


Other stories you might like

  • World Economic Forum wants a global map of online crime
    Will cyber crimes shrug off Atlas Initiative? Objectively, yes

    RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

    The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

    This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers. 

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • NSO claims 'more than 5' EU states use Pegasus spyware
    And it's like, what ... 12, 13,000 total targets a year max, exec says

    NSO Group told European lawmakers this week that "under 50" customers use its notorious Pegasus spyware, though these customers include "more than five" European Union member states.

    The surveillance-ware maker's General Counsel Chaim Gelfand refused to answer specific questions about the company's customers during a European Parliament committee meeting on Thursday. 

    Instead, he frequently repeated the company line that NSO exclusively sells its spyware to government agencies — not private companies or individuals — and only "for the purpose of preventing and investigating terrorism and other serious crimes."

    Continue reading
  • Never fear, the White House is here to tackle web trolls
    'No one should have to endure abuse just because they are attempting to participate in society'

    A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.

    In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence." 

    A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.

    Continue reading
  • Cloud services proving handy for cybercriminals, SANS Institute warns
    Flying horses, gonna pwn me away...

    RSA Conference Living off the land is so 2021. These days, cybercriminals are living off the cloud, according to Katie Nickels, director of intelligence for Red Canary and a SANS Certified Instructor.

    "It's not enough to pay attention to the operating systems, the endpoints, said Nickels, speaking on a SANS Institute panel about the most dangerous new attack techniques at RSA Conference. "Adversaries, a lot of their intrusions, are using cloud services of different types."  

    And yes, living off the land (or the cloud), in which intruders use legitimate software and cloud services to deploy malware or spy on corporations and other nefarious activities, isn't a new type of attack, Nickels admitted. "But what's new here is the levels to which using cloud services [for cyberattacks] has risen." 

    Continue reading
  • Microsoft seizes 41 domains tied to 'Iranian phishing ring'
    Windows giant gets court order to take over dot-coms and more

    Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India. 

    The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.

    "Bohrium actors create fake social media profiles, often posing as recruiters," said Amy Hogan-Burney, GM of Microsoft's Digital Crimes Unit. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware."

    Continue reading
  • State of internet crime in Q1 2022: Bot traffic on the rise, and more
    According to this cybersecurity outfit that wants your business, anyway

    The fraud industry, in some respects, grew in the first quarter of the year, with crooks putting more human resources into some attacks while increasingly relying on bots to carry out things like credential stuffing and fake account creation.

    That's according to Arkose Labs, which claimed in its latest State of Fraud and Account Security report that one in four online accounts created in Q1 2022 were fake and used for fraud, scams, and the like.

    The biz, which touts device and network defense software, said it came to this conclusion after analyzing "billions of sessions ... across our global network" during the first three months of the year. These sessions apparently spanned account registrations, logins, and interactions with financial, ecommerce, travel, social media, gaming, and entertainment services. Take all these numbers with a grain of salt as ultimately Arkose wants you to buy its stuff to prevent all this kind of crime.

    Continue reading

Biting the hand that feeds IT © 1998–2022