4 hours ago
2
A new and sophisticated fraud has emerged in which criminals transfer the bank cards of victims on to the digital wallets of their own phones and then buy goods online and in high street shops.
A group of anti-fraud bodies have come together to warn of the dangers of the scam, which international criminal gangs have been using in the UK as well as North America and other countries.
The scale and speed at which the fraud has taken off has alarmed experts, who say they are seeing a new level of sophistication, with criminals committing a lot of resources and effort into scamming people and avoiding detection.
The fraud involves convincing victims they are getting a bargain online, are eligible for help with their energy bill, or some similar ruse, and need to provide their bank details. Then the fraudster uses a temporary password supplied by the bank to the victim to transfer their payment card on to the criminal’s own phone using the digital wallet: the app that stores payment details on people’s phones.
Garry Lilburn, the operations director at the Cyber Defence Alliance, a non-profit intelligence organisation, says the sophistication of this scam and its widespread use is prompting growing concern.
“It is the sheer scale and effort that these people are going into,” he says.
How the scam works
The fraud makes use of familiar methods that criminals have developed to entice people to part with their bank details – perhaps a text message promising a payment, with a link to a fake website, or an offer on social media for cheap products, usually involving claims that are too good to be true.
The texts variously say – for example – that people are entitled to a payment for the winter fuel allowance, or that they have reward points due to them from their mobile phone provider, or that they need to pay a parking penalty notice.
There are also adverts on social media that purport to offer a range of different items at very cheap prices – from toilet rolls and creatine gummies to bike trailers and fashionable water bottles.
These “initial lures” set up to entice victims also claim that well-known chains such as Homebase, Foot Locker and Zara, among many others, are having “closing-down sales”. It’s all a scam, of course.
“You are asked to pay the money to buy those goods, or register for winter fuel payments, or pay that parking fee,” says Lilburn. Then, if the victim falls for one of these lures, they are asked to put their name and card details into the fake site they have been sent to. With these details, the fraudsters ask the victim’s bank to send a temporary one-time password or passcode (OTP) via a text. The victim is then asked to put this into the form they are filling in online.
“The interesting part is that [the criminals] suggest they have sent you a verification code. What they are actually doing is they are applying to open a new digital wallet. When [the criminals] are setting up that wallet, the bank will send a verification code – a lot of them by SMS – to the victim, who will send it to the fraudsters, and that allows the fraudster to get that number and then give it back to the bank to authenticate their digital wallet,” says Lilburn.
Dianne Doodnath, the principal for economic crime at the banking trade body UK Finance, says that while the text to the customer will indeed indicate that it is for setting up a digital wallet, and not to make a purchase, as the victim believes, they might not read the full message when it appears on the top of their phone screen. “They assume it is for a purchase, but it is actually for the enrolment of a wallet,” she says.
The fraudsters then add the digital wallet to their iPhone wallet, or Google Wallet on an Android phone, or via Samsung Pay, and have the victim’s card loaded to spend with as they wish.
When they spend
Once the criminals have control of the victim’s card in a digital wallet, they can spend online or go into a shop and pay for items.
How much they can spend depends on the retailer and the bank. Some allow users to spend more than the £100 “tap and pay” limit for contactless payments.
However, quite often the criminals do not use the cards immediately, says Lilburn – they may wait for up to three months before they start spending. When they do, they often buy gift cards for supermarkets, online stores and other retailers.
Doodnath says the criminals may wait so that there is less risk attached to transactions, as the card has been in the digital wallet for a month or more and is less likely to trigger warning signs within banks.
While some victims may have notifications of spending set up on their phone, and therefore would be able to see if their card was used by someone else, the majority do not, says Lilburn.
A new fraud
This new, elaborate development in the world of fraud emerged last year, says Lilburn, and criminals have put a huge amount of effort into it.
“The domains and the websites that have been created are numerous. So numerous, there are many in reserve. So we get one taken down and they slot another one in,” says Lilburn. “There is a lot of sophistication and effort being put into this.”
Often the criminals’ phones, or access to them, are sold between fraudsters once the cards are put on them.
People are being urged to ensure they know what any OTPs they receive are being used for.
Google advises users never to share one-time passwords and says it uses artificial intelligence and fraud prevention technology to identify suspicious transactions. Neither Apple nor Samsung commented on the developments.
