There are some civilizations that revere their elders for their wisdom. Unfortunately, I don’t live in one of them. In others, old people are quietly abandoned on icefloes or the sides of mountains when they start to take more from the community than they contribute towards it. I guess I’m reaching the age where I should be grateful not to live in one of those, though I quite like the idea of extending the same treatment towards celebrities.
However, I guess most people who are likely to read this blog live in communities that pay at least lip service to the idea that older people are entitled to a certain amount of consideration after years of supporting others. Even if that consideration extends mostly to a state pension and priority seats on public transport that may or may not be available. (Actually, I knew the clock was ticking faster the first time a pregnant woman offered me the seat she was occupying on a train. I guess it’s ticking even faster now that I’ve reached the age where I’d consider taking it. )
Humorous asides notwithstanding, there’s something slightly shocking, even to a cynic like myself, about the reports that have come out of Scotland this week about bank scammers claiming to be Bank of Scotland employees in order to trick elderly customers into divulging bank details. Shocking, but not surprising: sheltered housing for old people is a frequent target for opportunist housebreakers in the UK (apparently – I’m not old enough to live there yet!), and the same generation is also targeted for various kinds of advance fee fraud (not just email 419s, but snailmail scams such as competitions where you have to pay to receive your "prize", which somehow never turns out to be a £100,000 check, a 32" home cinema or sports car.
In fact, it’s not clear whether all the 25 people thought to have been hit by scammers were pensioners: reports quoting the Tayside police only mention a 66-year-old woman who lost £1,500 and a 78-year-old woman who came close to losing £27,000. Fortunately for her, HBOS was suspicious when the con-artist tried to transfer the money from her account to a bank account in India, and the transaction didn’t go through.
Whether you’re young, old or a young-at-heart mumble-year-old like me, though, you might want to know more about this particular scam, because it’s far from unique. The ladies concerned seem to have been reassured that the man who originally called them was genuine because he knew their names and knew that they had accounts with the bank. Unfortunately, there are far too many ways that kind of information can be obtained. Many people now shred bank statements and so forth so that their details aren’t exposed to grubby little parasites scavenging through their dustbins/trashcans (yes, I’m bilingual: I can write American English too!) But how many times do you share the same information when you go shopping (physically or over the internet)? You may trust the companies you shop with not to scam you, but can you trust all their staff? Can you trust them not to make mistakes that will expose some of your data to criminals?
The weakness of most conventional phishing attacks, 419s, and so on, is that they are sent out at random to as many people as possible: by now, quite a few people know enough to realize that if there’s no indication that they know who you are, they probably don’t have any right to the information they’re trying to get from you. However, a social engineering attack like this starts from easily obtained, semi-public data, and the scammer uses it to gain your trust and obtain further, more sensitive information. In this instance, the creep tricked his victims into giving away more personal details and their IBAN (International Bank Account Number),
There may be other issues in this case. A report in The Scotsman says that "The man claims that the account holder has been overcharged on their respective accounts and that he needs to confirm account details before he can proceed." This approach will be familiar to anyone who’s spent a lot of time looking at phishing scams. However, the report also speculates that the victims’ home telephones may have been tapped, and another report even suggests that calls to genuine HBOS phone numbers were intercepted, though the Tayside police don’t mention those possibilities in their own, more recent report. Whether that’s caution or a back-pedal from an earlier theory, I can’t say.
That sort of interception isn’t particularly easy to carry out, either from the customer’s neighbourhood or from a well-protected bank phone network. (However, there’s no indication of what sort of HBOS phone number was contacted, or where the attacker was phoning from. A call to a remote call centre might offer all sorts of opportunities for abuse.)
Well, I have to go now. A very nice lady with a West African accent is talking to me from a phone number in Holland. I wonder why she wants to know if I’m rich?
A tip of the hat to Rob Slade for pointing out the Tayside Police website.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
Author David Harley, ESET