Fraud & Identity Theft

Behaviours

Using a search engine to search for personal information

Personal information can be used during social engineering attacks. Search engines can show what personal data can ...

Locks SIM card to phone

SIM cards can be locked to prevent them being used in other phones. Doing so protects against occasions SIM cards ...

Reviewing social media privacy settings

Privacy settings on social media accounts should be reviewed regularly to make sure personal data is not exposed ...

Removing personal details from the open voters register

Unless removed, a UK voter’s information is listed on the public electoral register, increasing digital footprint ...

Setting an account password with network provider

Criminals with access to network providers can launch SIM swap or mobile phone number porting attacks. Agreeing a ...

Requesting personal photos or information are removed

Photos posted online without consent can increase digital exposure. Taking steps to remove sensitive photos posted ...

Case study

Millie Clark

In early 2020, Millie Clark received a seemingly innocent email asking her to make a payment via a fake-but-convincing “O2” website. Millie made the payment then carried on with her day.

Two weeks later, Millie’s scammers called her, this time posing as the HSBC fraud prevention team. The scammers “spoofed” HSBC’s telephone number to make the call seem real. They asked Millie to give them the security codes to one of her financial accounts. Millie complied.

While Millie was still on the phone, the scammers used the codes to take out a loan and overdraft in Millie’s name. Together, the debt totalled more than £10,000.

The scammers informed Millie their own illicit transactions indicated she was being targeted. They instructed her to divert funds into an “HSBC account” for safe-keeping. Millie agreed, and transferred £12,000 of her own money directly to the criminals.

When the real HSBC fraud prevention team called her the next day, Millie realised what had happened.

In a Facebook video narrating her ordeal, Millie cautions viewers that simple mistakes can lead to large losses. She regrets not verifying the authenticity of the link sent to her in the phishing scam, and she regrets revealing confidential information without first confirming who she was talking to.

Emily Xu

In June 2018, Emily Xu received a phone call from her “bank” informing her that someone had attempted to update her address. Both Emily and her bank deemed the incident a system error.

Over the next few months, Emily received numerous calls related to transactions she’d never made. The calls included a warning of disciplinary action following “tax evasion”, and a call about the repayment of a loan Emily had never taken out. Emily later discovered her contact details were posted to a third-party website without her consent.

Though unsure about how her details reached criminals, Emily needed to act. She contacted the Canadian Anti-Fraud Centre. After a series of investigations and remedial actions, the phone calls stopped.

Emily warns other people about the ordeal she faces following her identity theft. She recommends that people destroy sensitive documents before disposing of them and that people check credit accounts regularly for signs of foul play.

Southern Oregon University, 2017

In 2017, staff at Southern Oregon University sent $1.9 million to what they thought was a construction company they’d been working with.

It soon transpired fraudsters had spoofed the construction company’s email address and contacted the University requesting payment. University staff had complied with the request, transferring money directly to criminals.

The University’s busy accounting team missed the signs of fraud in the email. The team also failed to verify the sender’s authenticity. Such errors led to the SoU joining various other educational institutions fraudsters have scammed through business email compromise. All requests for payment or changes to accounts details should be verified independently using known contact details.

Abraham Abdallah

In 2001, Abraham Abdallah made global headlines after commiting a series of identity theft attacks against high-profile celebrities.

Working from a library in Brooklyn, USA, Abraham, used web-enabled mobile phones and virtual voicemail services to trick credit companies into providing credit reports on his victims. He then used the confidential information to clone their identities and gain access to their accounts at brokerages such as Goldman Sachs and Merrill Lynch.

His crimes were discovered when the police were alerted to a payment request of £7m from an account belonging to Thomas Siebel, founder of the electronics firm Siebel Systems. This was traced to email addresses that either belonged to multiple people or did not exist at all. After investigation, the police tracked Abraham, who was later arrested for his crimes.

Several measures can be taken to prevent identity theft which include regularly checking accounts and securing email addresses with passphrases and multi-factor authentication.