- Alec Daniels, 86, successfully sent a ‘controlled’ phishing email and breached a public WiFi hotspot in only 16 minutes 40 seconds
- 41 per cent of people regularly use public WiFi hotspots to access the internet putting their online security at risk(2)
- 74 per cent of Britons have been targeted by scammers with phishing emails, smishing texts and vishing calls(3)
Do you ever log on to a public WiFi hotspot to check on your bank balance, transfer money or maybe make online purchases? If the answer to these questions is yes, then according to Santander, your personal or online banking security could be compromised in just minutes.
As part of Santander’s campaign to raise consumer awareness of how to avoid scams, Santander challenged SAS graduate 86 year old Alec Daniels from Hampshire, to write and distribute a pretend phishing email, as well as hack into a public WiFi hotspot, despite having little knowledge of computers.
Working with network security expert Marcus Dempsey, Alec used information and guides easily available online and completed both tasks in 16 minutes 40 seconds. These are two of the most common means fraudsters use to get an individual’s bank account details.
Research by Santander shows that 41 per cent of those surveyed(2) regularly use public WiFi hotspots to access the Internet on their phones and computers to carry out financial transactions, whether that’s to check bank balances, make online purchases or manage money transfers. Of those, over one in 10 admit to logging on to unsecure WiFi networks several times each and every day, increasing their chances of getting hacked.
The project follows on from the bank’s Scam Avoidance School (SAS)(3) earlier in the year where around 12,000 over 60s (including Alec) attended free lessons run on how to avoid scams.
Alec’s First Test: Devise and distribute a scam phishing email
Despite having little knowledge of operating computers, Alec learned how to write and distribute a mock phishing email in only 13 minutes. He achieved this with minimal input from the expert, instead using instructions freely available via an online search.
The email Alec wrote claimed to be from the fictitious company MoneySpark, asking recipients for their bank account information and supplying a fraudulent link. Given that phishing emails are so quick and easy to make regardless of technical ability, it goes some way to explain how 74 per cent have been targeted this way.
Alec’s Second Test: hack a public Wi-Fi hotspot
With research from Santander revealing that 36 per cent don’t have any concerns about the security of their data when using public WiFi, the bank also wanted to raise awareness of just how effortlessly hackers can compromise these hotspots.
In the controlled experiment Alec managed to capture and intercept web traffic from a willing participant’s laptop while they were connected to an open Wi-Fi network – designed to replicate those found on the high street. Alec, under instruction, set up a rogue access point – frequently used by attackers to activate what is known as a “man in the middle” attack – to begin eavesdropping on traffic. He achieved all of this in in just 3 minutes and 40 seconds.
Chris Ainsley, Head of Fraud Strategy at Santander UK, commented: “Our experiment demonstrates just how easy it is for criminals to send phishing emails and hack WiFi hotspots.
We have seen the devastating results that fraud and scams can have on our customers and how much damage can be done if hackers get hold of even a small amount of personal detail.
“It’s great to have Alec on board to help out – having talked about scams with thousands of over 60s through our SAS it is good to get him involved to help spread the word. Raising awareness and educating people on how to protect themselves is vital to effectively tackling the criminals who ruin people’s lives.”
Certified ethical hacker Marcus Dempsey added: “Unsecured public Wi-Fi networks can be easy pickings for criminals. By inputting passwords, bank details and confidential information into online banking or shopping websites over a public WiFi, people could be unknowingly putting their finances and identities in the hands of hackers. Perhaps even easier than hacking WiFi is sending scam correspondence, particularly phishing emails.
“If Alec, with no previous knowledge of how to do this, can write and distribute a convincing phishing email in a matter of minutes, it’s worrying to imagine the potential damage that actual scammers could be doing.”
Marcus Dempsey and Santander give their tips for staying safe online:
Wi-Fi hotspot protection
- Ensure a WiFi hotspot is genuine: it’s easy to set up official-looking networks, so verify with shop staff before logging on. Providers can help by displaying the network name in store.
- HTTPS: If you need to use your card details online make sure the website you are on has ‘HTTPS://’at the start and has a green padlock against it.
- Get a Virtual Private Network (VPN): Not all sites will display the HTTPS lock symbol, but a VPN will act as an intermediary between your device and the internet server, putting up a further block for any would-be eavesdroppers or hackers.
- Forget the network:don’t just log off – ask your device to forget the network so it doesn’t automatically log on if you’re within range later.
A genuine bank or organisation will never contact you unsolicited to ask for your PIN, full password or to move money to another account. Don’t give out personal or financial details including passwords and PINs unless it’s to use a service you have signed up to, and you’re sure that the request for your information is directly related to that service.
- Never click on a link or download anything in an unsolicited email. Doing so could let scammers infect your computer with malicious software that will swipe your personal details or could allow criminals to access your device remotely.
- If you get an email from somebody asking you to change some payment details, don’t do this without checking it out thoroughly first. The email may have been sent by a hacker rather than the genuine supplier.
Look out for tell-tale signs that an email may not be genuine, for example:
- – The sender’s email address doesn’t match the website address of the organisation it says it’s from
- – The email is impersonal and doesn’t address you by your name e.g. just says Dear Sir/Madam
- – There are spelling or grammatical mistakes