Skip to content
Naked Security Naked Security

Police nab 9 for allegedly spoofing bank employees in £60 million scam

shutterstock_303661865

UK police have busted nine people over allegedly spoofing phone calls from victims’ banks to drain them of a total of £60 million ($92 million).

According to a release from the Metropolitan Police, the gang fooled their marks into handing over confidential information by posing as bank employees on the phone.

The UK gang was arrested on Wednesday after a series of coordinated raids on 14 addresses in Ilford, Watford, Slough and Scotland.

Police had been investigating scammers who’d been targeting business banking customers by using technology that masked their calls to make them look like they were coming from a legitimate bank.

The alleged crooks duped customers into revealing personal banking information, allowing them to gain access to their victims’ accounts.

Then, the suspects allegedly transferred money into “mule accounts” under their control, and from there the money was withdrawn from ATMs and bank branches across the country.

During the raids, police seized evidence including dongles, SIM cards, mobile phones, laptops and what they called a “significant” amount of cash.

Detectives arrested seven men and two women on suspicion of conspiracy to defraud and money laundering.

Spoofing caller ID – known as calling line identification (CLI) outside the US – is an old scam.

It involves technology that masks the true number of the incoming call so that the call recipient thinks it’s coming from a trustworthy caller, be it their bank, their doctor, somebody in their area code or, what the heck, the White House.

Besides being used in financial scams, it’s also been used to swat victims. For example, security journalist Brian Krebs was swatted in 2013 after an attacker called emergency services, making it appear that the call was coming from Krebs’s own phone number.

As Naked Security’s Paul Ducklin points out, spoofing is not a particularly sophisticated crime – just a well-organised social engineering attack.

Here’s one way to pull this sort of social engineering off, he said:

  • Phone, and look legit, or legit enough.
  • Immediately sound legit, or legit enough.
  • Act as a trusted advisor, and explain to your victim how to “authenticate” you using information entirely provided by you.
  • Profit.

Spoofing is enabled by the fact that caller ID/CLI might well be handy, but it’s not secure, and it can easily be spoofed.

In other words, Paul says, it gives you a hint of who’s calling, but you can’t, and shouldn’t, use it as an authentication mechanism:

It's probably your mum on the line, but it doesn't prove it's her: for that, you use additional checks that aren't part of the telephone system, such as what she sounds like.

The UK bank-spoofing scam wasn’t difficult to pull off from a technological point of view, but it was well-orchestrated, playing on the fact that many victims of telephone fraud are willing to rely too much on what the caller tells them – provided, that is, that they say it with conviction.

Indeed, call scammers often don’t even need the right number, Paul says. They just need one that looks local:

Does your bank always call you from exactly the same number? Mine doesn't. So a number that had the right STD area code and suburb prefix, plus a caller who immediately claimed to be from the bank and used the right sort of words in a open-sounding and confident fashion, would sound pretty reasonable to start with.

Don’t let callers authenticate themselves!

Fortunately, there’s an easy defensive trick to avoid falling prey to spoofing: if you’re about to make a call where you need to authenticate the person on the other end – for example, anything to do with personal information, or money, or passwords, or account verification – call them back using a number you found on your own.

Never visit a website the caller gave you in order to get the number, don’t rely on an email they sent you, and don’t simply call back the number that pops up on your phone.

Use an independent source, such a a recent bank statement, the official number printed on the back of your card, or the materials the bank gave you when you opened your account.

By doing this you kill two birds with one stone, Paul says:

  1. You’ll likely reach the right place, which will have no record of the call you just received, and so the scam will be revealed.
  2. At the same time as protecting yourself, you alert your bank to the fact that a scam is going on, giving them a chance to take action to protect other people, too.

More from Paul:

In fact, a proactive banking call center that's investigating fraud will advise you that it would like to speak to you, but then insist that you should call back using the number on your card, and instruct you not even to ask for a number to call — because that's a scammer's trick!

Image of Bank robber courtesy of Shutterstock.com

2 Comments

If in doubt, walk into a branch and get things sorted. Also it might be worth getting users to opt into telephone banking as opposed to offering it as a default. Given the nature of attacks, many of the victims might have been happier to opt out of telephone banking altogether.

And…. don’t forget to either use a different phone line or go make a cup of tea before calling… the scammers will keep the line open and play dial tone recording if you put the phone down and call back straight away

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?