Establishing Digital Trust: Don't Sacrifice Security for Convenience
U.K. phone and broadband provider TalkTalk recently acknowledged that a data breach in late 2014 resulted in the theft of customer account numbers, addresses and phone numbers, which were then used in targeted phishing attacks.
Acccording to the Guardian, a third party contractor with legitimate access to TalkTalk customer accounts, possibly an Indian call center, was involved in the breach.
HR consultant Graeme Smith told the Guardian he received a call from a woman claiming to be part of TalkTalk's fraud team, who said hackers had tried to access his account through his router. The woman knew enough of his account details to convince him that she was legitimate.
The woman then transferred Smith to a male technician who asked him to download remote desktop software, then told him he would provide Smith with £250 in compensation "for the inconvenience of being hacked." He asked Smith to click on an icon matching his bank, Santander, then to provide him with a one-time passcode that had been sent to his mobile phone.
Instead of receiving a payment of £250, however, Smith found that £2,815 had been deducted from his bank account.
In a statement on its website, TalkTalk said, "We know some customers are currently being targeted by criminal scammers claiming to be from TalkTalk who have obtained their account and phone number. After further investigation, we’ve become aware that some limited information we have about some of our customers could have been accessed in violation of our security procedures."
Santander, however, has refused to refund the £2,815 to Smith's account. "While we appreciate this was a sophisticated scam, Mr. Smith gave personal details by confirming the One Time Passcode to the fraudsters and thus validating and authorising the transfer of funds," a bank spokeswoman said.
Chris Boyd, malware intelligence analyst at Malwarebytes Labs, told eSecurity Planet by email that leveraging stolen customer details for tech support scams is unfortunately always going to be a problem. "Realistic-looking emails harboring bad intentions are a definite danger, and combining that with follow-up phone calls spells peril for unsuspecting consumers," he said.
"If in doubt about the validity of any email or phone call, don't hand over any banking information -- go direct to the source and give your provider a call," Boyd advised.