TalkTalk, the phone and broadband giant with 4 million customers, has admitted it suffered a major data breach in which account numbers, addresses and phone numbers have fallen into the hands of online criminals – who have used the data to steal thousands of pounds.
35. O Children of Adam! If
there come to you Messengers from amongst you, reciting to you, My Verses, then
whosoever becomes pious and righteous, on them shall be no fear, nor shall they
grieve.
36. But those who reject Our Ayat (proofs, evidences, verses,
lessons, signs, revelations, etc.) and treat them with arrogance, they are the
dwellers of the (Hell) Fire, they will abide therein forever.
37. Who is more unjust than
one who invents a lie against Allah or rejects His Ayat (proofs, evidences, verses,
lessons, signs, revelations, etc.)? For such their appointed portion (good
things of this worldly life and their period of stay therein) will reach them
from the Book (of Decrees) until, when Our Messengers (the angel of death and
his assistants) come to them to take their souls, they (the angels) will say:
"Where are those whom you used to invoke and worship besides Allah,"
they will reply, "They have vanished and deserted us." And they will
bear witness against themselves, that they were disbelievers. 7. Surah
Al-A'raf (The Heights)
It says a third party contractor which had legitimate access to its customer accounts was involved in the data breach last year, and that it has begun legal action against the supplier.
The admission by TalkTalk comes after furious customers took to the company’s online forum to complain that they have received calls purporting to be from TalkTalk, but which turned out to be fraudsters. Customers say the callers know their TalkTalk account numbers and other personal details, which they use to attempt to gain access to the customer’s computer and to raid their bank account.
In December, the Guardian reported a possible data breach at TalkTalk, thought to have emerged from one of its Indian call centres. At the time, the company said it was investigating the issue, and in January said it was aware of around 100 complaints. But since then, many more customers say they have been contacted by the scammers.
One victim who came forward this week is Graeme Smith, who lives near Chester-le-Street in County Durham. He is still puzzled how the fraudsters, who had Indian accents, were able to make a transfer out of his Santander bank account.
The semi-retired HR consultant was called at 9am one morning by a woman claiming to be from TalkTalk’s fraud team who told him they had detected hackers trying to gain access to his internet account via his router. The caller, he says, knew his name and all his other TalkTalk account details – enough to reassure him into thinking he was really talking to the firm. After being put through to what he was told was a senior technician, he was asked to download some software which allowed the caller to take over Smith’s laptop remotely. Almost immediately his screen flashed up with “files with red crosses” which he was told needed to be removed.
“He said he would transfer the call to the refund department who would arrange compensation of £250 for the inconvenience of being hacked,” he says.
Smith says he was then led to a screen on his laptop showing a range of different bank icons and was asked to click on his bank – in his case Santander. While the scanning was going on, the scammer – a man who gave his name as Alex – said Smith would receive a text message soon on his mobile with an “OTP [One Time Passcode] code”.
“I hadn’t much experience of using these codes before and when the message came through I viewed it quickly. The amount on screen was different but he said this would be because it was in rupees. I was panicking and feeling extremely anxious about getting the threats to my computer sorted – so I passed on the OTP code to him.”
They told him TalkTalk’s refunds department was based in India, and that although the initial repayment was in rupees, it would be converted into sterling when it hit his account.
At this point the scammers appeared to use diversionary tactics designed to keep him occupied to allow the payment to go through. He was asked to leave his landline phone open so they could communicate with him. When he asked how long it would take, “Alex” said it would take some time but he couldn’t forecast how long. Eventually he was told that he should keep it open all night and that they would call him again at 7am the following morning.
“It was then that I became suspicious. I still did not want to close down my computer for fear of losing information but I decided to visit my local cash machine to check my bank account. Instead of receiving a credit of £250 there was a deduction listed as “bill payment” of £2,815. I knew then that I had been scammed and these people were fraudsters. I hurried home and the first thing I did was hang up my landline, dial 1471 to check the receiving telephone number (it was a Malaysian number) so I then closed down my computer altogether. I called TalkTalk who confirmed that I had not received an official call today. I then called my bank and reported the theft of £2,815.”
To his great surprise “Alex” did call back at 6.40 the following morning. When Smith challenged him, calling him a thief, he tried to claim that technical problems had caused the payment. He reiterated that he was a genuine TalkTalk employee and again offered to tell Smith “anything about his TalkTalk bill” to prove his identity.
In a statement, TalkTalk says: “We have become aware that some limited, non-sensitive information about some customers could have been illegally accessed in violation of our security procedures. We are aware of a small, but nonetheless significant, number of customers who have been directly targeted by these criminals and we have been supporting them directly.
“We want to reassure customers that no sensitive information like bank account details has been illegally accessed, and TalkTalk Business customers are not affected. We have taken serious steps to remedy this and we are continuing to work with the ICO [Information Commissioner’s Office]. We want to help our customers protect themselves from scams so we are writing to all customers again to warn them about this criminal activity, with full advice, support and a reminder of the many free services TalkTalk offers to try to stop malicious scams reaching them.”
Santander refuses to refund the money to Smith’s account. It says it is “really sympathetic to Mr Smith’s situation” but holds him responsible for the payment out of his account, and it will therefore not be refunding him. Smith, for his part, says he is certain he did not input or tell the fraudsters his online banking access codes, and he has no idea how they managed to make the payment from his account. The money went into an account held in the name of the money transfer service, TransferWise.
A Santander spokeswoman says: “While we appreciate this was a sophisticated scam, Mr Smith gave personal details by confirming the One Time Passcode to the fraudsters and thus validating and authorising the transfer of funds. The OTP, which Mr Smith received to his mobile phone, would have confirmed that the code was to make a payment of £XXX to account ending XXXX. The OTP is a security measure we put in place to protect customers against fraud, and Mr Smith would have used an OTP code to set this up to his mobile phone. The disclosure of this passcode to a third party is a breach of our terms and conditions, and it is for this reason that we cannot accept any responsibility for the losses on this account.”
Smith remains £2,800 out of pocket. In a statement, TalkTalk says: “We are sorry that Mr Smith has been a target of this highly vicious scam. We are in contact with him to provide support, and we would urge customers who have been victim to any scam where they have revealed financial information to contact their bank. We will continue to support Mr Smith via our dedicated fraud team, and we urge customers to be vigilant.”
Nova Scotia Power is warning customers about a telephone scam in which a caller poses as a representative of the company and demands money via a pre-paid credit card.
In this scam, the caller states that the customer’s account is in arrears and the person must immediately pay the balance owing or their power will be disconnected. The caller directs the person to buy a prepaid credit card and then phone a 1-888 or 1-866 number to make payment. The fraudulent calls are also being made to customers of other electric utilities across Canada.
In this scam, the caller states that the customer’s account is in arrears and the person must immediately pay the balance owing or their power will be disconnected. The caller directs the person to buy a prepaid credit card and then phone a 1-888 or 1-866 number to make payment. The fraudulent calls are also being made to customers of other electric utilities across Canada.
Nova Scotia Power previously issued a news release regarding this scam on December 19. Since then, the scam has continued, and over the past couple of weeks, the criminals perpetrating it have focused mainly on restaurants.
These calls are not from Nova Scotia Power. Nova Scotia Power does not ask for payment via prepaid credit cards. Halifax Regional Police and the Canadian Anti-Fraud Centre have been alerted to the situation.
Any customers who are suspicious about a request for payment are urged to call NS Power’s Customer Care Centre at 1-800-428-6230.
Nova Scotia Power works regularly with customers who owe on their accounts. Disconnection is the last resort after all other options to provide a payment schedule have been pursued.
TalkTalk is investigating whether its customer database has been leaked after more than 100 customers said they had received calls from Indian-based scammers quoting their names, addresses and account number details.
Suspicions have been raised that a data leak could have come from a call centre used by TalkTalk in India, although the UK internet service provider, which has more than 4 million customers, said it had “no concrete evidence of a data breach” from any of its systems.
A number of customers in TalkTalk forums said they had been contacted in the past fortnight, apparently from India, by callers who quoted their TalkTalk account details to try to assuage doubts about whether the call was legitimate.
A similar scam earlier this year targeted BT Broadband customers, with scammers also quoting account numbers.
One person said on TalkTalk’s forums they were nearly caught out because of the data that was supplied: “[The] caller was obviously from India and his English was poor. [He] claimed he was from TalkTalk and when I queried this he reeled off my account number plus name and address.” Others on the forum confirmed their account details had been provided in the call.
The account number is not publicly available information – though it is held on TalkTalk’s systems and is used in customer support.
A spokeswoman for TalkTalk said there were other ways the scammers might have acquired the account numbers, such as through phishing emails, but she could not say whether TalkTalk had seen any phishing emails recently that would explain the abrupt surge in calls accurately quoting data.
If TalkTalk’s customer data has leaked, it could potentially be liable to a fine under the Data Protection Act for failing to secure personal information – a requirement for British companies even if they store or process data overseas.
The Information Commissioner’s Office said it had been informed TalkTalk was investigating the source of the account details.
TalkTalk is asking customers who have received calls to contact its online scam report page at www.talktalk.co.uk/help/report-scam.
The use of call centres in India for both remote telephone support of legitimate businesses, and for making scam calls of this sort, has long led to suspicions that customer details are leaked by unscrupulous workers or managers to the gangs who run the scams.
The Guardian has reported on this long-running problem previously but there has been limited action against it by the authorities in India, with few arrests. Last year the US Federal Trade Commission froze the US bank accounts of a number of individuals and businesses based in India, though that seems to have had little impact
Once the cold-caller has the customer’s confidence, they begin a spiel in which they try to persuade the user that they are from support and have been notified that the user’s computer has “viruses” or is “downloading malware”, and that the support call will fix it. As “proof”, the scammer directs the customer to a particular program on Microsoft Windows which shows the normal working of the system, and persuades the customer that this actually indicates a problem.
The scammers then persuade the customer to download a program that gives them access to their computer, “fix” the problem and charge them for it via credit or debit cards. But in fact the machines are operating normally and the “fix” can harm the computer, or install viruses, spyware or illegitimate software.
A TalkTalk spokesperson said: “Every year countless people are targeted by phone scammers. This is a growing problem across all sectors and unfortunately TalkTalk and other telecommunications companies are not immune. We know some customers are currently being targeted by malicious scammers claiming to be from TalkTalk who have obtained their account and phone number. We urge customers to be alert, especially when asked for personal details or remote access to your computer, and not to give any more details over the phone. We encourage any customers who have been targeted by this scam – or indeed any scam where fraudsters are claiming to be from TalkTalk – to hang up and contact us so that we can help to catch them. They can do so by calling us or by using our online scam reporting form.”
Pacific Power is warning its customers and the public of a phone scam targeting utility customers in the Northwest where criminals posing as utility customer service agents are trying to get money and steal personal information.
The fraud is occurring nationwide, but recent days have seen an upsurge in the Northwest. The thieves are using sophisticated deceptive tactics that make it appear to Caller ID systems that the scam call is coming from the utility when it is not. If customers receive such a call, hang up and instead call 1-888-221-7070 to verify the call's origins.
Pacific Power call center agents can be reached any time day or night, toll free at 1-888-221-7070. That is the only number to call for any customer service you need or if you suspect a call may not actually be from Pacific Power.
"So far, this has affected a relatively small number of customers, but any customer being taken advantage of in this way is one too many," said Blaine Andreasen, vice president of customer service.
"We have taken a number of additional significant steps to address this latest scam and protect customers from fraud attempts," Andreasen added. "We are working with law enforcement at all levels and have also increased security on our automated phone service system as a precaution to further assure that customer information is not at risk. For their own protection, customers calling about their account will need to provide their account number to gain access to account details."
In order to help customers recognize the fraudulent calls, in general, the scam goes like this:
Scammers call residential or business customers demanding payment for overdue bills. Sometimes, the caller tells the intended victim that they owe a specific amount of money. The thief advises the customer to make a payment in one of two ways: either immediately on the phone via credit card, or by going to a local store to purchase a pre-paid card and calling back a special toll-free number, made to resemble Pacific Power's phone response system, and provide the pre-paid card's code to the phony "agent."
Pacific Power wants customers to be aware that this is a scam and not a legitimate request. Pacific Power does not use these methods. If such a call is received, hang up and call 1-888-221-7070 to inquire about the call with Pacific Power.
When Pacific Power contacts a customer, the representative will always already have the customer's account number. Even then, if you are contacted by phone and have any concerns about the validity of the call, it is always appropriate to let the caller know you prefer to call them back at the utility's published customer service number—1-888-221-7070.
Pacific Power cautions that customers should never provide unsolicited callers or visitors with credit card numbers or any other information that may compromise their financial security.
Anyone receiving such calls or other contact regarding their utility account or bill is encouraged to pay close attention to any information – such as the phone number they are asked to call, a number that appears on caller ID, an address where they're told to send money – and then call 1-888-221-7070 to report the incident to local police and Pacific Power.
The UK's High Street banks are warning that millions of account holders are vulnerable to fraud - online or over the phone.
With help from the police, the banks have now launched a campaign to make customers more aware of the threat.
They have published a list of eight things that a bank will never ask account holders to do.
The list includes asking for a full Pin or a banking password over the phone, or via email.
"Being defrauded is a devastating experience for anyone, which is why we are launching this campaign," said Anthony Browne, the chief executive of the British Bankers Association (BBA).
"The more people know about fraud, the less likely they are to become victims," he said.
Couriers
The campaign highlights the dangers of "vishing", otherwise known as voice phishing.
The term refers to fraudsters who telephone victims, typically to say there has been a fraudulent transaction on their account.
They advise them, for security reasons, to phone the bank back.
But unknown to the victims, the fraudster stays on the line.
Believing that they are talking to their bank, victims often disclose account numbers and passwords directly to the fraudster, who uses the information to steal money from their accounts.
Sometimes the fraudster even sends a courier to the victim's house or flat, to collect the bank cards, a crime also known as courier fraud.
List
To begin with, three major UK banks are printing thousands of leaflets, to warn their customers about such scams. They list eight things a bank will never do:
- Ask for your full Pin number or any online banking passwords over the phone or via email
- Send someone to your home to collect cash, bank cards or anything else
- Ask you to email or text personal or banking information
- Send an email with a link to a page which asks you to enter your online banking login details
- Ask you to authorise the transfer of funds to a new account or hand over cash
- Call to advise you to buy diamonds, land or other commodities
- Ask you to carry out a test transaction online
- Provide banking services through any mobile apps other than the bank's official apps.
No comments:
Post a Comment