An elderly relative was victim to this scam and has therefore given name, date of birth, address, phone number, e mail and bank card details and paid £2.10

We have contacted the bank, no further payments have been taken and the card is now cancelled.

It seems their other on line bank accounts / savings need PINs and card readers.

I am concerned about their Gmail account now being vulnerable so will change that password and have advised to be aware of any account notifications or e mails from the scammers.

Also have reported it to the police fraud crime and have an incident number

Trying to think what else is vulnerable, and how to mitigate ?

Anything else we should be doing ?

Thanks in advance

Anything else we should be doing ?

I think it’s reasonable to expect them to be a target of more scams. That is at least a nudance but if it’s someone who you’d worry is vulnerable to falling for further attempts (any of us can fall for these things really – all the Royal Mail / courier scam needs to succeed is good timing) and it’s not too much upheaval it’s worth considering whether they can change their mobile phone number and /or email address. For some older folk there’s only a handful of people who’d contact them by mobile so it’s not too big a deal to change.

if it is someone who’d be vulnerable to scam and coercion one thing I’ve done for people is just scratch the CCV number off their cards – means they can still make in person payments as usual but there’s not complete a info for phone / online payments

Son had something similar. New card issued, and we thought that was it. A couple of weeks later he had a call from “the bank” (correct name of bank and showing as “from” the number he’d previouly used to contact the bank legitimately) saying that they were aware he’d reported an attempted fraud on xxxx date and that due to this, his account (number ##### at xxxx branch) had now been compromised (a bit of a story with voices in the background saying things like ‘they’re in the account now!’ etc.) To prevent this, they were closing the account urgently and opening a different one for him. Before we do anything else, we need to verify your identity by sending you a code…

They took about £800 from his account without him being suspicious. I went cold as he was telling me the tale and had to break it to him that he’d been conned. We got bounced between the ‘fraud’ and ‘scam’ teams at the bank a few times, but once we were through, they were very good. They eventually decided it was a fraud because the criminals had manipulated his bank account, and luckily he got the money refunded. (Had it been a ‘scam’ and he moved the money himself I got the impression that the money would have been lost.)

Since then, we’ve had letters saying that someone has applied for credit in his name, etc.

Your relative will need their wits about them. These people are getting more sophisticated and are professionals at manipulating people. Scum.

As above and see also here:

Text scam

one thing I’ve done for people is just scratch the CCV number off their cards

That is genius.

Many thanks for the suggestions, past experiences and the link to the related STW post. I will keep reminding them to be vigilant about calls from a bank or similar and any e mails.

It’s difficult isn’t it.

I used to be That Guy thinking, “how can you fall for this, are you daft?” but they’re getting ever-more sophisticated and all it takes is a moment’s inattention to click-through on something. It’s hard enough to train people who are 100% – I got caught out by an internal phishing test myself a few weeks back, but that’s another story – so for someone who is perhaps more vulnerable it’s a big problem.

As Cougar I used to be the guy saying “ah if you fall for it you’re an idiot and you deserve it”, then I got caught and gave my details to a link I received by text from an unknown number 🙁

I got the text, the timing was perfect as it seemed linked to something I was expecting, and just put it all in. The moment I pressed submit I realised it was a scam and called the bank. They blocked my affected card and nothing has come of it since.

For reference I’m 32 and hold a BEng, that doesn’t qualify me as intelligent or smart of course (certainly not in this case at least 🙂 ) but my point is that these things can catch anyone out, I really feel for elderly people, especially those alone. Luckily my grandparents are waaay too switched on to be caught out, they won’t even hand over money for services they’ve already received, and my great grandparents can’t hear or see well enough to be scammed by text or phonecall. I expect the scammer would get tired of the “could you repeat that dear?” and being called Daniel (their favourite grandson who everyone under the age of 40 gets mistaken for)

The worse ones though are the ransom ones, catching some poor old guy out for watching some porno then emptying his account under threat of exposure

I am worried as to how evolved these will be by the time I’m an OAP though!

If it’s the scam I’m thinking of they’ll have asked for the sort code and account number as well. They’ll then hit the bank website asking for a reset of the password – this generates a code sent to your registered mobile phone. As soon as they do it they’ll call the relative pretending to be from the bank (very convincingly) and saying they’re aware someone has tried to commit fraud and they need the code they’ve just text you to help identification before they talk to you. They’ll then often try to get your to generate a code which is actually to approve a payment.

Essentially you’re giving them your login details and then authorising a payment over to them. This breaks your t&cs with the bank about not giving away your details – so then it’s just whether the bank decides to take pity and refund you and suck up the loss themselves or not. I think a lot of banks are taking the fraud hit on these as a one off per customer but it might not be a quick refund.

I got the text, the timing was perfect as it seemed linked to something I was expecting,

That’s how I got tripped up. There are many pieces of advice given around “how to spot a phish / scam” but I’m wary of suggesting anything that require people interact with them. Rather my golden rule is, “were you expecting it?”

In this case, I was. We were expecting an upgrade to a system, a link came through going “here’s the link to the new system,” I was distracted and didn’t engage brain before clicking to be met with an “oops, that was a phishing page!” landing page.

On the one hand it was a bit cheeky as it exploited insider information, it’s unlikely to be a scenario faced by and end user other than by blind luck. On the other, on a targeted attack it’s not unreasonable information to expect a decent hacker to already know if they’d performed some recon before casting the net.

Be careful out there.

The worse ones though are the ransom ones, catching some poor old guy out for watching some porno then emptying his account under threat of exposure

That one is noteworthy because part of the email is “and for proof, here’s your password” culled from an old data breach.

I got caught out by an internal phishing test myself a few weeks back, but that’s another story

Hah me to, after years of thinking what idiot falls for these…

I had the bank scam a few years ago. Problem was, for them, I’d closed the account months before. They kept saying money has gone out. I kept say, fine when this happened before the money was straight returned. They blustered about this. Again stated I had changed bank and closed account.
2 minutes later phone call from new bank.
I said how unusual two Glaswegians working in fraud in two bank, we had a joke about it . I then said I’d pass him over to wife who was a police officer working with fraud and scams unit and it would be a great idea if the passed all the information on to her. They suddenly hung up.

I received a similar text a few weeks ago just as I was expecting a parcel. For a split second, I assumed it was legit but quickly realised that it must be a scam since it bore no validating particulars.

I generally assume all cold calls, texts, emails, etc., are scams until validated otherwise.

I’ve also been victim of the other side of this. Banks being over-cautious and blocking legit payments. Has happened a good dozen times but one time I was stuck in Cambodia with no access to my accounts to pay for a flight out and another time I was accused of money laundering for sending a <£100 transfer for a purchase they were convinced was a scam

Organisations don’t help themeselves either in my experience. Just going through the transfer to a new energy provider after the old one went bust – get an email saying your account has been set up, please log in by clicking on this link to set password, memorable event etc. Needs to be done in next 48 hours or link will expire.

Even their own website says all emails will be addressed to you by name (this wasn’t) and won’t ever ask you to click on a link…

I was pretty sure it was legit, but challenged it anyway via their customer care link on the website. Got a fairly poor response of ‘well done for being vigilant, but yes it was genuine and have sent you a new email to click on.’

Organisations don’t help themeselves either in my experience.

Yup, mine too. Unexpected calls from utilities demanding personal information to confirm I’m me, but won’t confirm anything their end, won’t provide a means to get back through to them via calling the trusted number on the bill.

Worst of all, SSE just sent a letter addressed “Dear customer” with new bank details for payments. I was absolutely convinced it was a scam; especially when the real bill arrived shortly afterwards with the old bank details on. Eventually got through to a fraud department to be told it was all legitimate. Then I got a shirty letter that I’d taken too long to pay the bill. 🙄

Worked with a large corporate client who rolled out a load of anti-phishing training, IT security etc etc. All mandatory.
It was followed up by an email to all staff about the training they’d just had – and the follow up email was a (deliberate) phishing attempt by their IT dept using external address, clicky links etc. Apparently the “failure” rate was over 75%.
Quite alarming really but, as Cougar says, the timing was “right” and sucked a lot of people in.

Thanks again, but it was the card number, expiry and CVC disclosed to the scammers – not account and sort code, if that helps.

We are now alert to any money related texts or e mails that might be a result of this scam

Be careful out there, as he used to say in Hill Street Blues, and interesting that it seems some younger people on this forum have been tricked too

Worked with a large corporate client who rolled out a load of anti-phishing training, IT security etc etc. All mandatory.

It was followed up by an email to all staff about the training they’d just had – and the follow up email was a (deliberate) phishing attempt by their IT dept using external address, clicky links etc. Apparently the “failure” rate was over 75%.

I was talking a little while ago to a pentester who was a former policeman. He offered to run a phishing campaign for his old force. The superintendent said “fill your boots, they’ve all been trained.”

He ran a spoof Amazon email, I forget numbers now as it was a couple of years ago but it was a similar story, I think initial click-through was something like 60% – it was more than half anyway. This tailed off the further down the fake site you got, “enter your password” etc. But there were a couple who when they got to the final payment card rejection message actually rang him up going “the website isn’t working, can I pay over the phone?”

received a similar text a few weeks ago just as I was expecting a parcel. For a split second, I assumed it was legit but quickly realised that it must be a scam since it bore no validating particulars.

So does the scammer know your expecting a parcel or do they just assume that a useful fraction will be expecting a parcel. My son didn’t fall for it more than once. But he said it seemed like they knew he was expecting a parcel as the timing was right more than once. Of course this could be coincidence

Thanks again, but it was the card number, expiry and CVC disclosed to the scammers – not account and sort code, if that helps.

@byeway Notify the bank, right now, and get it cancelled. That is absolutely enough to make remote (phone, internet) payments. They don’t need account details.

As a professional, unscammable, clever man of the world, I got scammed a few months ago – I foolishly authorised a minor payment, cancelled the card straight after via the app and rang the bank – no payments taken yet, old card permanently cancelled, new card ordered.
But the follow up call, a couple of days later, was clever…..the correct bank name and number showed on the phone screen; they were aware of a couple of suspicious transactions, all sounded perfectly plausible. I ended the call then, rang my bank and it was indeed a scam call.
Be careful!

The scammers arent really getting any more clever, we are all getting older!

A couple of weeks later he had a call from “the bank” (correct name of bank and showing as “from” the number he’d previouly used to contact the bank legitimately)

Last year I had a message at work purportedly from my bank about some suspicious activity on my account. I deleted it, but just to be on the safe side I called my account manager on her personal mobile and left a message. A couple of minutes later she called me and said she’d just looked at my account, there were a number of transactions that had been attempted and declined, and to phone the number NOW!
Which I did, and a couple of small transactions had gone through but four or five bigger ones hadn’t, so I was talked through a bunch of recent transactions to track back to genuine ones. My card was cancelled but it was right before a bank holiday, which was a pain. My bank at least was on the ball, I’m naturally sceptical about anything  that I have come through on my phone or pad, that concerns money.

it was the card number, expiry and CVC disclosed to the scammers – not account and sort code, if that helps

Not really – the card number is often sufficient to log in to online banking. (We believe that’s what happened to my son.)

It’s always worth running a check on

https://haveibeenpwned.com/

to give an overview of the vulnerability of any email address and moby number.

The CVC scratch idea is OK, but the people harvesting this data have a technique of bombarding a random legitimate payment platform with the data they know, ie name and long number, then automatically counting up the CVC from 000 to 999 until a payment goes through, likewise with expiry dates. We do quite a lot of cyber claims at work and a party gym had to close down for a weekend as a threat actor was doing this on their booking site and they simply had to pull the plug to stop it. Each attempted transaction cost them 10p and any that went through charged £10. They had 90,000 transactions attempted in one weekend. They are clever sods these crims, and there is lots of money to be made.

The scammers arent really getting any more clever, we are all getting older

I like the sentiment, but I don’t think it’s correct, unfortunately.

It isn’t messages in broken English from Nigerian princes any more – you don’t know who the hell to trust!

@byeway Notify the bank, right now, and get it cancelled. That is absolutely enough to make remote (phone, internet) payments. They don’t need account details

We have contacted the bank, no further payments have been taken and the card is now cancelled.

Thanks everyone, especially Cougar as ever for his diligence, but we did cancel the card straight away

👍