by Inspector Gadget
Sun Mar 04, 2018 3:29 am
I've copied this from a Facebook post which is being circulated to warn people of the nature of this scam.
Stu Kennedy
Yesterday at 00:32 · Lochwinnoch ·
Still reeling and in shock after being scammed out of nearly all our money.
It was a very elaborate scam, and I want to tell people about it, so they don't fall for it too. Apologies if this gets verbose, I want to explain what they did and how subtle it was; so you don't make the same mistake as I did.
I got a text through from Barclays to say that they had flagged a potential fraudulent purchase to Debenhams on our account, and to phone them. It was an official text (see attached below) from their normal number that I get notifications on.
I phoned the number, got the Barclays welcome message and standard menu system, where it asks you to enter your sort code and account number and then let me choose the option for fraud dept. I waited for a short time and then was put through to a friendly lady with a London accent.
She went through the standard security for Barclays where they ask you to generate an "Identify" code on your PINsentry device. (mine is on my phone app)
She then asked me what the issue was, I explained the problem, and she said that someone was attempting to make an online purchase to Debenhams and that if it wasn't me I needed to cancel it immediately. I obviously agreed.
She said to cancel it they use the "respond" feature on the PINsentry. So she read me a number to input and I had to generate a response code on PINsentry and they would use that to generate a cancellation request which would be texted to me and it would ask me to confirm cancelling the transaction by responding with a "Y". She said that other transactions that are also queued can come through in the text too but just to ignore those. I was slightly confused but not enough to be suspicious.
I got the text through asking if I'd like to cancel and I responded with a "Y". I also got one other text through saying that a transaction was being made to SKENNEDY. Now I was suspicious. I started asking questions, but she said it looked like the fraudsters may have access to my account. I logged into my account and saw three large transactions to SKENNEDY had gone through and nearly wiped our business account clean. I mentioned it to her and she said I should delete my banking app.
I was now deeply suspicious of her, and didn't do it ... I started asking her questions and eventually she hung up.
This is how the scam works:-
1. There is a simple way (I was unaware of until tonight) to send a text to someone and pretend you're a different number. (shocking I know) ... the text I got was from con-artists and not from Barclays even though the other texts in that message thread were all from Barclays.
2. Barclays uses PINsentry "identify" when you call them to identify you, but that's the same mechanism used to log into your online account, and all they need is your sort code and account number (which they got from the key entry on their fake menu system). They also sound legit, they know their bank call-centre patter.
3. Once into my account and reassuring me they'll freeze the nasty transaction, they add themselves as a payee and go to do a transaction. This is where they need the "respond" code to setup the payee, which I gave thinking it was part of the cancellation ritual. Barclays then automatically sends you a text to confirm the new payment, but they immediately followed with their own text telling me the system was cancelling the Debenham's transaction and to respond "Y" to confirm. This was actually responding Y to the text before it, which I'd temporarily ignored (on her advice) to confirm setting up the transaction to "SKENNEDY" (them).
4. Now the payee is authenticated and they're still in the account, they just keep taking money out until it's all gone.
----------------------------------------------------------
SO ... I spoke to the ACTUAL fraud team who told me that they are dealing with hundreds of these specific scams a day. Not surprising considering it was a pretty convincing thread of events ... and apparently Barclays can do nothing about it. (I'd suggest that's not the case and they need to think through their security process a bit more carefully to avoid a man-in-the-middle attack)
I feel like a total fool, especially considering I've worked in areas of fraud prevention in software and I'm usually pretty savvy with even the more sophisticated ones, but this totally caught me.
Don't fall for it.
ONLY EVER CALL THE FRAUD PHONE NUMBER ON YOUR BANK CARD, NOT ONE SENT IN A TEXT OR EMAIL
Stu Kennedy
Yesterday at 00:32 · Lochwinnoch ·
Still reeling and in shock after being scammed out of nearly all our money.
It was a very elaborate scam, and I want to tell people about it, so they don't fall for it too. Apologies if this gets verbose, I want to explain what they did and how subtle it was; so you don't make the same mistake as I did.
I got a text through from Barclays to say that they had flagged a potential fraudulent purchase to Debenhams on our account, and to phone them. It was an official text (see attached below) from their normal number that I get notifications on.
I phoned the number, got the Barclays welcome message and standard menu system, where it asks you to enter your sort code and account number and then let me choose the option for fraud dept. I waited for a short time and then was put through to a friendly lady with a London accent.
She went through the standard security for Barclays where they ask you to generate an "Identify" code on your PINsentry device. (mine is on my phone app)
She then asked me what the issue was, I explained the problem, and she said that someone was attempting to make an online purchase to Debenhams and that if it wasn't me I needed to cancel it immediately. I obviously agreed.
She said to cancel it they use the "respond" feature on the PINsentry. So she read me a number to input and I had to generate a response code on PINsentry and they would use that to generate a cancellation request which would be texted to me and it would ask me to confirm cancelling the transaction by responding with a "Y". She said that other transactions that are also queued can come through in the text too but just to ignore those. I was slightly confused but not enough to be suspicious.
I got the text through asking if I'd like to cancel and I responded with a "Y". I also got one other text through saying that a transaction was being made to SKENNEDY. Now I was suspicious. I started asking questions, but she said it looked like the fraudsters may have access to my account. I logged into my account and saw three large transactions to SKENNEDY had gone through and nearly wiped our business account clean. I mentioned it to her and she said I should delete my banking app.
I was now deeply suspicious of her, and didn't do it ... I started asking her questions and eventually she hung up.
This is how the scam works:-
1. There is a simple way (I was unaware of until tonight) to send a text to someone and pretend you're a different number. (shocking I know) ... the text I got was from con-artists and not from Barclays even though the other texts in that message thread were all from Barclays.
2. Barclays uses PINsentry "identify" when you call them to identify you, but that's the same mechanism used to log into your online account, and all they need is your sort code and account number (which they got from the key entry on their fake menu system). They also sound legit, they know their bank call-centre patter.
3. Once into my account and reassuring me they'll freeze the nasty transaction, they add themselves as a payee and go to do a transaction. This is where they need the "respond" code to setup the payee, which I gave thinking it was part of the cancellation ritual. Barclays then automatically sends you a text to confirm the new payment, but they immediately followed with their own text telling me the system was cancelling the Debenham's transaction and to respond "Y" to confirm. This was actually responding Y to the text before it, which I'd temporarily ignored (on her advice) to confirm setting up the transaction to "SKENNEDY" (them).
4. Now the payee is authenticated and they're still in the account, they just keep taking money out until it's all gone.
----------------------------------------------------------
SO ... I spoke to the ACTUAL fraud team who told me that they are dealing with hundreds of these specific scams a day. Not surprising considering it was a pretty convincing thread of events ... and apparently Barclays can do nothing about it. (I'd suggest that's not the case and they need to think through their security process a bit more carefully to avoid a man-in-the-middle attack)
I feel like a total fool, especially considering I've worked in areas of fraud prevention in software and I'm usually pretty savvy with even the more sophisticated ones, but this totally caught me.
Don't fall for it.
ONLY EVER CALL THE FRAUD PHONE NUMBER ON YOUR BANK CARD, NOT ONE SENT IN A TEXT OR EMAIL