January 18th 2016
Today sees the launch of a major new awareness campaign highlighting the dangers of ‘social engineering’ – deception used to manipulate people into a position where they can be defrauded.
The warning comes in the wake of figures issued by the National Fraud Intelligence Bureau showing a 21% increase in reported incidents in 12 months.
The campaign is being run by Get Safe Online in partnership with Barclays, NatWest, Royal Bank of Scotland, Lloyds, Halifax, Bank of Scotland, City of London Police (COLP), CIFAS and Financial Fraud Action UK (FFAUK). Featuring TV advertising for the first time in Get Safe Online’s 10-year history, it urges people to ‘think twice before they act’ to stop more falling victim to social engineering scams, which can take a number of guises such as fake emails, phone calls, texts or posts. It frequently involves piecing together information from various sources such as social media and intercepted correspondence to appear convincing and trustworthy. The often complex nature of such attacks makes them extremely difficult to spot before it is too late.
Social engineering on the rise
Cybercriminals have become increasingly sophisticated in their attacks and this is particularly evident in new figures from Action Fraud, which show the number of reported phishing scams reported between November 2014 – October 2015 totalling 95,556. This represents a 21% increase over the same period the previous year*.
This is further supported by Get Safe Online's own research, revealing that over a quarter (26%) of victims of online crime have been scammed by these types of social engineering emails or phone calls. In addition, over a fifth of people (22%) said they are most concerned about this sort of crime. Interestingly, the research from Action Fraud found that the reported incidents of phishing scams peaked on 21st October – the day of last year’s TalkTalk data breach. This highlights people’s increasing fear surrounding these kinds of attacks, particularly in light of this and the other high profile breaches that took place last year.
Most common types of scam
According to the research, the most popular angles and guises for phishing scams include pretending to be from BT, iTunes/Apple ID, HRMC, a lottery organiser, PayPal, a bank or Amazon. The most common relate to BT and iTunes.
In terms of the most popular channels for phishing, email comes out top, accounting for over three quarters (77%) of all reported incidents. This is followed by phone calls, which accounted for one in ten (12%) incidents.
The top five channels for social engineering scams are:
· Landline phone calls
· Text message
· Mobile phone call
The most common themes for phishing scams, in order, are:
· BT account update
· iTunes invoice
· HMRC tax refund scam
· Tesco vouchers, Apple ID, accident injury claim and other document attachment
· False invoice
· Itinerary attachment
· Suspended credit card account
· Suspended Tesco Bank account
· Sky services upgrade
· Blocked Barclaycard
In addition, over a quarter (29%) of all reported phishing emails contained a potentially malicious link which when clicked, could deliver malware to a victim’s computer or request their personal details. 17% of phishing emails requested a reply and a further 15% requested personal information. Although interestingly, emails with malicious links are decreasing whereas requests for money transfers are on the rise. This shows how the nature of these scams is constantly shifting, giving us all the more reason to think twice before we act.
Tony Neate, Get Safe Online’s Chief Executive said: “Social engineering is becoming ever more targeted and personal, which is why it’s no surprise that the number of cases is on the rise. What’s worrying, however, is the complex nature of these scams and how they tap perfectly into feelings that make us panic – if we get an email purporting to come from someone we trust (such as our bank) about something that is emotive to us all (money) and then demand that we act urgently, it’s almost like the perfect storm. That’s why we’re so pleased to be teaming up with the banks, City of London Police, CIFAS and FFAUK to encourage people to think twice before they act and not to let panic override common sense.
“We also advise that people make sure they have strong passwords or PINs to secure devices, as well as making sure all software and apps are up-to-date. If you do have suspicions regarding an approach, it’s always better to be safe than sorry, so trust your instincts and double-check the person is who they say they are before handing over any information. This way, we can stay one step ahead and stop more people from falling prey to an online criminal.”
Commander Chris Greany from the City of London Police said: “Social engineering is increasingly being used by criminals to prey on people’s personal and financial information. Almost everyone is able to identify a time when they have received correspondence from someone, whether it be by email, post or on a phone call, who is looking to convince them to part with their details. Fraudsters are using ever more sophisticated methods to gain personal information and these types of attempts have often left victims penniless.
“We urge everyone who receives unsolicited phone calls, texts, emails or letters to ignore them and never enter into conversation with someone that you don’t know online or over the phone. If you’re contacted in this way, it is likely that you’re being targeted by a fraudster who is simply looking for ways to exploit your personal and financial details”.
If you are a victim of a scam
· If you have been a victim of banking fraud or spot irregular activity on your account, contact your bank immediately as there will be more chance that your losses may be recovered
· It’s important to report any fraud to Action Fraud, the UK’s national fraud reporting centre by calling 0300 123 20 40 or by visiting www.actionfraud.police.uk
*Data constitutes of phishing reports made to Action Fraud November 2014 – October 2015 by members of the public. Reports made via ASOV tool consist only of those instances of phishing where someone has been approached with a scam message (via email/text/or phone) but has not suffered a financial loss as a result of it or has not exposed their personal details to a scammer.