Back to articles • Back to home page

 
Are you at risk from 21st-century crime?
Moneywise – March 2005

A new century has revealed a new breed of criminals with hi-tech methods. Mark Smulian explains what you can do to protect yourself

Electronic financial crime, identity theft, hacking... It might sound like the plot of a far-fetched Hollywood blockbuster, but it's happening right now. In fact, it happened to me while I was investigating this feature.

It wasn't the most sophisticated of approaches. I received an email purporting to come from SunTrust Bank that was headed 'Please validate your account'. The sender was supposedly its anti-fraud unit and asked for details of my account and password to be sent to an email address, with the warning that 'this process is mandatory' and failure to comply would result in suspension of my account.

SunTrust is a perfectly respectable bank based in Georgia, US, and had nothing to do with the email. And because I had never heard of SunTrust, I wasn't tempted to respond. But if a similar message had come from something purporting to be my bank, I could easily have become a statistic in the fast-growing world of 21st-century crime.

Electronics have brought many benefits. We can use accounts online and get money out of obliging holes in walls rather than having to queue in banks. But criminals are well aware of the opportunities offered when bank accounts are protected not by a safe but by electronic codes and seek ever more sophisticated ways of getting their hands on your money.

In turn, the banking industry seeks to discover and block frauds. In the middle of this game of virtual cops and robbers is your money.

And it's most likely to be the money of the respectable middle classes. Peter Hurst, chief executive of CIFAS, the fraud prevention service to which most of the finance and retail industries subscribe, explains: "Fraudsters target people who are fairly well off, but who are not too rich to notice a fraud. They will target people in middle-class residential areas rather than, say, residents of multi-occupied houses, because they know the credit limits are likely to be higher."

So what are we at risk from? Electronic crime broadly covers ways of getting hold of the details needed to unlock bank accounts or cash cards. Essentially, each consists of two parts, the information held by the bank, whether online or encoded on a strip on a plastic card, and the password or personal identification number (PIN) that you use to activate it. Get both and the contents of any account are yours.

The traditional method is counterfeiting, where details are obtained, and a duplicate of your card made. For cash cards, this is done by installing genuine-looking fake card readers over cash dispensers, complete with a pinhole camera to record the PIN entered. The dispenser works normally, but the unsuspecting user soon finds their account emptied by a duplicate card. There has been a surge in this sort of crime, with incidents rising 85% in the year to June 2004, amounting to 61 million. It still represents just 0.05% of all money withdrawn from machines, but it's spreading across the country. Shoulder surfing is a variant where someone hangs around the cashpoint to detect PINs and then steals or duplicates the card.

Credit cards can be copied when they are handed over to unscrupulous retailers, particularly in restaurants where the card is removed from your sight, or where it is double-swiped at a checkout - once for the retailer, and once to 'skim' its details. This used to be the most common form of card crime - accounting for losses of 161 million in the year to June 2002. However, the problem is lessening, and in the 12 months to June 2004, losses had been reduced to 123 million. Part of this is due to the introduction of Chip and PIN cards, which are being sent out to all cardholders.

These cards require a PIN to be entered into a machine at the checkout rather than a signature, and have a chip that's read at every cashpoint transaction to stop 'skimmed' cards being used to withdraw money. There is some evidence that Chip and PIN helps stop counterfeiting, because while a signature can be copied easily, a PIN cannot be replicated unless someone sees you entering it into a machine or you pass it on. And although there is a risk in someone seeing the PIN entered, they would also have to steal the card for this to be any use.

But there is still some debate over whether this scheme is foolproof. Rob Hamadi, author of Identity Theft (see page 61), explains: "Chip and PIN has been claimed as a major improvement in security, but I have seen papers which suggest that the banks expect an increase in cashpoint crime because the number of outlets where PINs can be seen will rise."

Hamadi adds: "If there is fraud, what will happen to the audit trail? If I sign a card, ultimately the bank can go through its records and compare signatures, but if someone types in your PIN, how do you prove it was not you?"

Ironically, the recent mass distribution of Chip and PIN cards has offered rich pickings to fraudsters who intercept cards. Mark Bowerman, spokesman of the Association for Payment Clearing Services (APACS), which is made up of credit and debit card providers, points out that secure distribution is in issuers' interests, as they are liable for any fraud.

Distribution is not always secure. One north London couple found 1,500 removed from their Alliance & Leicester account after the bank posted a card and PIN number separately. Both were intercepted. They explain: "The bank spotted the suspect transaction and alerted us. We got our money back in two weeks, but had to report the crime to the police. We did not even know the card was on its way." If you are worried that you are at risk, you may prefer to contact your card provider to find out when your card is due to be delivered.

APACS supports a joint civilian and police operation called the Cheque and Plastic Crime Unit, set up to fight 21st-century fraud. In a two-year pilot to August 2004, this unit arrested 171 people and recovered over 36,000 stolen cards and card details.

But there are things you can do to protect yourself too. Bowerman suggests: "There are three golden rules. Guard your cards and details at all times and do not let them out of your sight. Chip and PIN terminals will be portable and brought to you, and you should always cover tie terminal with your hand when keying in the number.

"Until you get a Chip and PIN card, we recommend that you follow waiters to the counter if they take your card away. The second rule is to take care how you dispose of card receipts. Shred them or at least rip them up. The third is to always check bank and card statements carefully and report any unknown transactions."

At cash machines the best way to protect yourself is to check for evidence of tampering, be aware of who is around you, and check whether anyone is looking over your shoulder. If in doubt, walk away. If a machine retains your card, call your bank immediately to report it missing, ideally before you leave the cashpoint.

But in the 21st century, criminals don't need to get hold of your plastic to steal from you. One of the fastest growing forms of card crime is identify theft, where a criminal gathers sufficient data on someone to open bank accounts and obtain cards in their name, leaving the 'real' person with the bills.

Fraudsters may even break into your home or go through your bins to get this information, so make sure you keep important documents locked away or well hidden, and ensure letters are torn up or shredded before throwing them away.

One distressing variant is identity theft from the dead, based on the assumption that the recently bereaved will not have fraud prevention uppermost in their minds.

There were 16,000 such cases in 2003, more than three times as many as in 2001, Peter Hurst explains: "Identity fraud is the fastest growing type of fraud. The rate of increase is phenomenal. It did slow in 2004, but the fact that we have not reduced it just shows how bad it is."

But, as I discovered, regardless of how carefully you guard your identity, you can still fall victim to electronic crime. Phishing - when someone sends bogus email messages from banks to users to get account details - is on the increase. The scam is now so rife that regular internet users are getting an average of one such message a week. It has also become increasingly sophisticated.

In the past, poorly spelt emails were sent to users. These days, however, you are likely to receive a well-worded one with the bank's logo, directing you to an official-looking website, and suggesting that if you have any doubts about the authenticity of the email, you should phone the bank on the number featured on the website. Some even include sections drawing the recipient's attention to the problem of phishing, and running through the types of scams on the go.

But don't be fooled. The email, website and phone number are, of course, bogus. It is worth remembering that banks never send unsolicited emails asking for account details and passwords. If you receive an email purporting to be from your bank, call your bank, but use the number on your statement, not the one in the email.

Hacking is also a growing problem, and it's normally directed against users rather than banks' sophisticated systems, either by trying to break passwords or by sending in 'Trojans'. These are viruses spread by email that detect any bank details held on a PC and overwrite a fake website for your bank's real one when you next log on.

Peter Hurst says he has noted attempts to hack his own computer and recognises Trojans could become a problem. "It seems to be a particular issue with broadband users who do not have an adequate firewall," he explains. These 'always on' internet users are more exposed to viruses. First Direct urges internet customers to purchase anti-virus software, and keep it up to date by visiting the provider's website and regularly downloading updates. It also suggests using firewalls, which can be installed as a piece of software and sit between your computer and your internet connection, making sure no nasties can get through.

First Direct's spokeswoman Annette Spencer advises: "If you are using a bank website, look for 'https' in the address. If there is no 's' it is not a secure site and it could be fake. Guard yourself on the web just as you would look after your wallet in the street or at an ATM."

It must be emphasised that the chances of falling victim to any of these crimes are low, compared with those of conventional theft. But electronic crime will rise as electronic banking grows and it is wise to be aware of the problem.

It's all fairly frightening, but don't panic. Banks will normally reimburse losses through fraud, as long as the user was not at fault. Paul Lucraft, MasterCard's general manager of business services for northern Europe, says: "Generally, provided you have not been completely stupid and are not involved in the fraud, the bank will refund any losses, as we recognise if customers are attacked, it is not their fault. We would become suspicious if there were repeated occurrences or if a customer suddenly asked for a large increase in their credit limit and then used it all."

Spencer says: "Our policy is that if the customer has followed their terms and conditions, is in no way involved in the fraud, and has taken all reasonable steps to protect their security, they would be reimbursed. If you keep your PIN with your card, we would say you were likely to be liable. If you have written your password next to your computer someone broke in and used it, we would say that was not secure."

However, take the right precautions and not only will any losses be reimbursed, but you may be less likely to fall victim in the first place too.

Identity and card thefts

As an identity theft victim, you will need to stop ongoing fraud in its tracks. Since identity theft and fraud require either access to your current accounts or the creation of wholly new financial accounts in your name by the criminals, you need to identify and shut down all known accounts.

Contact your bank, card issuer and any other financial institutions, cancel any stolen cards, ask for a record of recent transactions and inform them of any you did not make. If you receive bills for foods or services you did not order, contact the organisation concerned to alert them to the fraud.

Contact credit reference agencies Experian and Equifax to find out what credit has been taken it in your name. If applications for credit have been made in your name, you can ask to have any incorrect information removed. Also contact CIFAS on 0870 10 2091. It will earmark your name and address so that anyone applying for something using your name will automatically be double-checked.

Report the incident to the police, especially if it involves stolen identification documents, and ask for a crime reference number. If any official identification has been stolen, report that to the appropriate authorities. Keep all your documentation. Only after you have been through all this can you make a claim for lost money.

If you suspect mail theft, contact the Royal Mail's Customer Enquiry number on 08457 740740.

Counterfeiting and phishing

The process varies with each bank or credit card provider. Therefore, the first step is to contact them (keeping a record of all communications) and explain that you have been a victim.

Each organisation has its own processes. At their most simple, banks will take the details over he phone, put the money back into your account immediately, and send you a form to sign to declare a fraud has taken place. Some organisations will wait until the form has been completed and processed before returning your money. Others require you to report the fraud to the police and obtain a crime reference number before returning your money.

A spokesperson from First Direct says: "Money can be paid back to customers within 24 hours, is generally we can tell if a fraud has happened because our investigators know what to look for. "We always encourage customers affected by online frauds to check their PCs."



Back to top of page •  Back to articles •  Back to home page