LONDON (Reuters) - Customers who use social media to vent frustration at their banks when services go down are inadvertently making themselves targets for fraudsters, law enforcement officials and industry insiders said.
That was the case for customers of Britain’s TSB, many of whom took to social media to complain after a computer systems migration by the bank left thousands of users locked out of their accounts.
The bank’s chief executive on Wednesday said TSB saw the daily rate of attempted fraud on its customers spike by up to seventy times following the outage and that around 1300 customers had money taken from their accounts.
A person familiar with TSB’s investigations into recent frauds said while it can be difficult for the bank to know for certain how criminals obtain information about an account, activity on social media is a concern. When accounts are compromised, it’s usually because a customer gives up their details and “a lot of that is entirely voluntary through social media”, the person said.
TSB spokeswoman Supreet Thomas said the bank encourages customers to be careful about how much personal information they share online. “The more information made available on these sites, the easier it becomes for fraudsters to steal your identity,” she said.
Security specialists say news events like the TSB outage are the perfect hook for scammers, largely because people using social media may identify themselves as a customer of a given firm making it easier for them to defraud.
“Consumers – or people – are always going to be the weakest link, so if they can find ways to attack the customer… then they will go after that,” said Mark Nicholls, director of cyber security at UK-based firm Redscan.
TSB’s botched computer-systems migration have cost around 70 million pounds ($93.95 million) so far, its Spanish parent Sabadell said on Thursday. The issue has also prompted a regulatory investigation and criticism of its chief executive. A panel of British lawmakers said Thursday they had lost confidence in TSB’s CEO, Paul Pester.
The bank’s chairman responded that Pester retains the full support of the board.
Following TSB’s outage issues, opportunistic fraudsters used fake text messages and emails claiming to be from the bank. TSB customers reported 749 phishing attempts in May after the bank’s IT troubles became widely known, up from just 30 the previous month, according to Action Fraud, the UK’s national cyber crime reporting center.
Action Fraud, which refers reports of fraud from banks to the appropriate local police force, said they continued to handle the TSB cases.
Some of the attempts were unsubtle.
“We have detected suspicious activity on your current account so we need you to verify some details, please use the like below,” ran one phishing attempt texted to a TSB customer and posted to Twitter on Wednesday.
The recipient said they realized the misspelled attempt wasn’t legitimate.
Nicholls, the cyber security specialist, said the vast majority of phishing attempts were likely relatively unsophisticated and opportunistic, noting that a number of non-TSB customers reported receiving texts and emails about non-existent TSB accounts.
In such situations, he said fraudsters send out mass texts or emails with the hopes of hitting a customer of the affected organization, who they believe will be more receptive to the scam.
Some scammers also used tools to make their calls and messages appear as though they came from numbers genuinely used by TSB, he noted.
Even so, Nicholls said some may have used more targeted approaches and that he would advise consumers against tweeting about their banking experiences.
“Anything that can link you to a current ongoing campaign may cause you to become a target unfortunately,” he said.
News events like the TSB outage are the perfect hook for such tricks as people let their guards down in rushing to get problems solved, according to 39 year old James Linton- and he would know.
Better known as the Email Prankster, Linton in the past year hoodwinked well-known figures including Barclays boss Jes Staley by impersonating colleagues on email. A spokesman for Barclays at the time confirmed the hoax, but declined to comment further.
“In TSB’s case they have inadvertently given fraudsters the perfect conditions to pull this off, you’re looking for something topical so people let their guard down,” Linton said.
Earlier this year, the Financial Conduct Authority warned that the increased use by consumers of data sharing and social media as part of online banking may be making them more susceptible to fraud.
Fraudsters are also increasingly shifting their focus away from methods that target online banking systems to scams that target consumers directly, the FCA said in an April report.
So-called push payment scams, where criminals trick customers into authorizing payments from their accounts, can be particularly problematic as they are difficult for consumers to spot and banks often argue they cannot refund the lost money as the customer authorized the transfer.
The FCA’s report cited figures from Cifas, a non-profit fraud prevention organization, which found there were 172,919 incidents of identity fraud in the UK in 2016, an increase of 52% since 2014. In 2017, Cifas said this rose again to 174,523 – an all-time high.
(The story corrects typo in Mark Nicholls’ surname and amends his title.)
Editing by Cassell Bryan-Low
Our Standards: The Thomson Reuters Trust Principles.