Financial Fraud Action UK reported that in 2013 fraud losses on UK cards amounted to £450.4 million pounds. This figure was 16% up on the figure reported for 2012, card fraud is indisputably on the increase. Card fraud still represents on 7.4 pence for every £100 spent on a card, however, if you are a victim of a card fraud the effects can be extremely upsetting. The figures show that as banks and Internet retailers become more sophisticated in the detection of card fraud, criminals are directing their attention to individual customers and small businesses.
We tend to think that such fraud is always carried out by high-tech hackers remote and distant from us. It is often the case however that our own human frailty is often the cause of our exposure to card fraud. The hacker who actually talks to us or contacts us directly by email may be more of a danger than the remote figure miles away on the Internet.
Exploiting weaknesses in technology in order to harvest passwords is hard work. It’s much easier to simply ring someone and ask what their password is. Surprisingly, such a direct approach often works and this is why card fraudsters do it. We human beings are often very trusting; a plausible story will often persuade us to offer up our valuable secrets.
Fortunately the UK’s banks are now helping us to determine which requests are plausible and which are not. They have set out a list of things which they will never do. So if you do get asked to do one of these things you may be reasonably sure that the person emailing you or phoning you is up to no good.
The British Bankers Association have responded to a poll conducted by YouGov which produced results which demonstrated the trusting nature of the British public:
- 8 million people are vulnerable to “vishing” or voice phishing
- 4 million people might transfer money into another supposed “safe” account if instructed
- 3 million people could be willing to carry out “test transactions” online
- 7 million people would pass their bank card over to a courier on their doorstep if they carried some form of ID card
Part of their response is a leaflet which set out eight things a bank would never do:
- Ask for a full PIN number or any online banking passwords over the phone or via email
- Send someone to a home address to collect cash, bank cards or anything else
- Ask anyone to email or text personal or banking information
- Send an email with a link to a page which asks for online banking log-in details
- Ask anyone to authorise the transfer of funds to a new account or hand over cash
- Call to advise anyone to buy diamonds, land or other commodities
- Ask anyone to carry out a test transaction online
- Provide banking services through any mobile apps other than the bank’s official apps
This is very useful advice which can be used to separate a genuine bank communication from an attempt at fraud. If the individual emailing you or phoning is attempting any of the eight things on this list then end the communication at once. It remains to be seen however, whether it will be successful in combating the social engineering skills of the bank card fraudster.
If I were to deliver a training course for hackers one of the topics I would most certainly include would be practical psychology. Often even the most technologically savvy hacker needs a way into to an organisation or a household. Any piece of information they can garner through actual contact with an individual can make the difference between success and failure.
Hackers use subtle pressure to persuade their subjects to set aside fears they might have about revealing confidential information by creating more pressing worries. This week in my email I received a phishing attempt which purported to come from PayPal. There was, apparently, a ‘slight problem’ in my account which could be rectified by completing an online form. The email also said that failure to correct the ‘slight problem’ would result in the suspension of my account. The hope clearly being that my concern to maintain my account would override any fears I might have of entering my details into an unknown web page.
I found it easy to resist the advice of an email which had clearly originated from an address totally unrelated to PayPal. I might have found it harder to ignore friendly advice coming from the perpetrator of a vishing (voice phishing) attack.
We find it difficult to call someone a liar or say that someone is wrong to their face. This especially true if they seem to be personable and genuinely concerned about us. Consequently, there is a temptation to drop our guard if we are confronted with an affable individual who assures us that a course of action is beneficial to us.
Even if we have second thoughts and try to check up on the veracity of a caller we may be defeated by the technical competence of current day vishers. Vishers will often urge their subject to confirm what they have said by calling their banks. Unbeknownst to the victim the visher remains on the line and uses an accomplice to pretend to be a bank employee.
Army drill where soldiers repeatedly practice the same responses to order was designed to ensure that soldiers functioned well in times of stress. It is one sense psychologically informed training. It is only by internalising the advice given by the banks through constant repetition that we can ensure that it will be remembered in stressful moments. Simply reading the leaflet and then putting it to one side will only result in ‘I told you so’ moments when a stressful situation makes advice fly out of the window.
We learn how to take security precautions as we walk the physical streets of our neighbourhoods; we also need to learn to remember precautions as we navigate the virtual streets of the Internet.