When Nargess Sadjady answered the phone at her home in London one early evening in August, the man on the other end gave her some disquieting news: There were some suspicious online purchases on her account. The caller spoke with a soft Scottish accent and said he was from the security team at her bank, Santander, and needed to verify some of her information in order to pass the case along to the fraud department.
It’s the kind of call that consumers get fairly often in the age of data breaches. The only problem was, the call came not from Sadjady’s bank, but from a fraudster who, over the course of several hours and three phone calls, convinced her to transfer £12,000 (more than $18,000) from her Santander account to an account controlled by the fraudsters. Within hours, the money was disbursed to several other accounts and Sadjady was left wondering what had happened.
This is a story that involves a crew of professional thieves, a credulous target and an unlikely happy ending. And it’s a story that’s become all too common, not just for consumers, but for banks, health care companies, and even lawyers who have fallen prey to the increasingly sophisticated and targeted scams of these kinds of fraudsters.
The crew that went after Sadjady knew what they were doing. They knew what bank she used and when Sadjady eventually became suspicious during the initial call, the caller—who said his name was Mike—asked her to take out her debit card and look at the phone number on the back for the fraud department. He then recited that number to Sadjady and said that someone from the fraud department would call her back soon from that number.
“I don’t know you. I can’t give you any more information,” Sadjady said, according to a recording of the call obtained by BBC Radio’s Money Box program.
Not to worry, Mike said. He didn’t want personal details. He just wanted to confirm that she had her card. He then gives her a “password” that she can use to verify that the person who calls her back is from Santander. The password is Smith123, which makes the passwords in the Ashley Madison dump look bulletproof. A few hours later, a man identifying himself as James called Sadjady and said he was from the Santander fraud operations team and then read the password back to her. The callers used spoofing software to ensure that the number appearing on Sadjady’s caller ID was the one she’d read off the back of her bank card.
Sadjady was told she needed to transfer the money out of her account in order to protect it. Some fraudsters may have gotten access to her account details and made the phantom suspicious online purchases that the original caller had warned her about. You see, fraud can occur anywhere, and it could’ve been the nice lady Sadjady spoke to in her local Santander branch last month.
“I wasn’t sure until they called to my mobile from the telephone number on the back of my card.”
Or someone at another branch. You just don’t know. The safest course of action was to move the money out of Santander altogether, the fraudsters assured her.
“Fraudsters have many methods of obtaining people’s details,” the second caller told her.
James then asks her for her mobile number, a piece of information he already has. But he needs to make sure that she has her phone with her so she can get the text message from Santander confirming the transfer she was about to make. And this is when the hook was set.
“I wasn’t sure until they called to my mobile from the telephone number on the back of my card,” Sadjady told the BBC.
James eventually asked Sadjady for her account balance and instructs her to transfer the £12,000. He helpfully stayed on the line while she completed the transfer and received the text from Santander with the confirmation.
“Oh yay, you sent it,” she said in the recording, which was made by her family.
The money was then in the fraudsters’ account and soon would be divided and sent off to several other accounts. Soon afterward, Sadjady began to worry that she had made a mistake. She called Santander’s actual fraud department, which was sympathetic but noted that she had approved the transfer herself. The bank eventually returned £3,000 to her, and Halifax Bank, the target institution where the fraudsters had set up their account, later refunded the remaining £9,000 to Sadjady.
She was one of the lucky ones.
For most victims of these fraud crews, the money just disappears. That was the case for a couple in Scotland who fell prey to the same kind of scam that Sadjady did and lost tens of thousands of dollars. The couple, who own a farm, had shied away from online banking because of security concerns, only to find themselves targeted by phone scammers.
The fraudsters knew all of the security questions that the couple’s bank would ask to establish their identity and knew important details about the couple. Now they are out a large sum of money and are fighting with their bank to get it back.
“We no longer trust people and are reluctant to speak on the phone. It’s been a very lonely experience and we feel bitter,” the couple told The Edinburgh Evening News.
Sadjady’s story had an unusually upbeat ending, but the attack itself is becoming as common in banking circles as traditional phishing. But while phishing attacks are well-understood and security experts have spent more than a decade educating users about that risk, the kind of phone-based scams that these fraudsters are running often are more difficult to identify, especially for consumers. Enterprises have layers of defense and employees trained to root out fraud calls, advantages that consumers don’t enjoy.
Image from Flickr stream of Dan Tantrum.
