Scots are being alerted to highly convincing phishing emails from fraudsters posing as Apple this week as new research shows a huge rise in cyber-crime over 2016. However, a sharp debate has broken out as to who should take more responsibility for fighting the scammers – customers or banks.
Cyber criminals are sending fake invoices, purporting to be from Apple, to thousands of email addresses in an attempt to scare recipients into thinking they have been wrongly charged for a product from the iTunes store.
The phoney invoice, which is almost identical to the real thing, encourages customers to apply for a refund through a prominent link labelled ‘Cancel and Manage Subscriptions’, which actually leads to a fraudulent website that asks for bank account details.
Variations of the scam include fake receipts for iTunes membership and Netflix membership as well as different apps and songs. All carry the iconic Apple logo as well as the standard iTunes invoice layout and format.
However, there are clues that give the game away. Genuine invoices from Apple are sent from email@example.com whereas the scams are sent from dummy email addresses. Moreover, real Apple receipts should contain your billing address and the last four digits of your card number, whereas the fraudulent emails only identify you by your email address.
Action Fraud, the national cyber-crime reporting centre, says the fake iTunes invoice is a longstanding phishing ploy and now the second most common scam of its kind in the UK. Apple says it never asks customers to provide personal information or bank account details via email and is urging anyone who receives the fake invoices to forward them to firstname.lastname@example.org.
It comes after a Glasgow-based man was jailed for 11 years last week after masterminding Britain’s biggest ever cyber scam, conning bank customers out of £113m. Feezan Hameed Choudary, 25, paid two corrupt employees of Lloyds Bank to provide them with customers’ bank details so he and his associates could cold-call small businesses and trick them into providing internet banking passwords.
New data shows that nearly 375,000 Scots have been hacked by fraudsters in the last year, with the majority (87 per cent) losing money as a result. According to comparison website comparethemarket, around 214,000 people in Scotland have been forced to cancel their debit or credit cards following online fraud in the last 12 months. The average amount stolen from Scottish bank accounts was £679, with more than a quarter of fraud victims losing between £400 and £500.
Separate research shows there were more than a million cases of financial fraud cases in the UK in the first six months of this year – a 53 per cent rise on the same period in 2015. This amounted to a crime every 15 seconds between January and June 2016, according to Financial Fraud Action UK.
Financial Fraud Action UK, which was set up by the UK payments industry, believes the onus is on customers to spot criminals before becoming their prey. It has teamed up with the Government, police and financial sector to raise public awareness of the issue through its Take Five campaign, which highlights simple steps that customers should take to avoid being conned.
However, critics argue that banks are letting down customers. The consumer organisation Which? used its special status last week to make a so-called ‘super complaint’ about the way financial firms handle fraud cases involving bank transfers.
At present, customers who unwittingly transfer funds from their bank account to fraudsters have no way of getting their money back from their bank – something that 60 per cent of customers don’t realise.
The super complaint will compel regulators to consider extending the money-back guarantee currently covering direct debit, credit and debit cards and hacked accounts.
Experts agree that customers can only protect themselves so far. Brian Spector, chief executive officer at online security firm MIRACL, said: “A range of tactics which once seemed secure – such as identity verification via text message – are becoming easier for hackers to exploit.
“Meanwhile, banks are under pressure to be as user-friendly as possible, which has resulted in security being downgraded in a number of cases.”
Robert Capps from NuData Security added: “The increasing volume of attacks globally can be attributed to more fraudsters willing to commit the crime, more data available on the black market, and more financial institutions and merchants that are vulnerable to attacks.”
Others believe the banks need to turn away from old-fashioned passwords and PIN numbers towards more futuristic methods. Once the preserve of science fiction films, biometric security measures using fingerprints, eye scans and voice recognition could become commonplace in the next year, according to David Webber, managing director of Intelligent Environments.
“Our research shows that over half of people are ready to ditch their passwords in favour of biometric security measures – it offers personalised security that is user friendly and secure,” Mr Webber said.
Which? said that banks might be more willing to implement these high-tech options if they are financially liable for bank transfers going awry, allowing them to discover fraud in ways that their customers cannot.
Jim Wadsworth from Vocalink, which is behind most of Britain’s payments infrastructure, said the company has developed a “cutting-edge” data science technique to detect suspicious transfers before the money has even left the account.
“We can then report this to the victim’s bank, who then work with their customer to either stop or validate the payment in question,” he said.
“This ground-breaking solution is now live with one of the UK’s biggest banks and we are planning to roll this out across the industry.”
Until banks improve their security situation, there are a number of ways to avoid getting ‘phished’. Police Scotland advises customers to look out for emails that use generic terms like “Dear account holder” or contain spelling errors.
If the email address if different from the one on the real company’s website or if it contains unrecognisable links or attachments, steer well clear.
Finally, if you do click on an external link, immediately close it if there is no padlock sign and no https:// at the beginning of the web address.