Breakdown of a scam
I recently helped respond to a fraud that had a significant impact on the person who was scammed
Here's a quick breakdown of what happened as far as we can tell.
The victim received a phone call claiming to be from Amazon Customer Service saying someone was trying to buy an iPhone15 on their account, was it them?
Obviously the victim said 'No' and the voice on the phone said not to worry, we can sort this out. Then 'so they can help' please install the support app from the link I will send you.
The 'support app' was a copy of AnyDesk for Android.
Then the fraudster said, 'so we can be sure its you- security is important' we need a copy of your driving license, front and back.
The unsuspecting victim complied and then while their colleague kept the victim talking on the phone, including getting their card number so they can 'send the money back where it came from'. The fraudsters used anydesk to navigate to the amazon webstore in the browser on the phone and look up an iphone15, so that it was registered in the 'things you were recently browsing' history on the victims Amazon account. The victim was then instructed to take the phone away from their ear (which is presumably why they did not notice the anydesk tomfoolery) and check their Amazon history - and sure enough there was the iPhone15 just like the scammer had warned.
Meanwhile someone else was using Anydesk to install more apps onto the phone including the Revolut banking app.
An account was opened with Revolut in the victims name using the photo of the driving license to pass through the automated onboarding and KYC process.
The scammers then tried to use the provided bank card details to load funds into the Revolut account so they could then pay them away to an account they owned. This however did not work and two attempts were declined by the victims debit card issuer.
The fraudsters then went to an online giftcard mall to buy £150 gift cards telling the victim each payment was actually a refund to their account. After several similar transactions the HSBC fraud detection system kicked in a blocked the victims debit card.
We also found a copy of the western union app had been installed on the victims phone, but was not used on the day.
Overall the victim was kept on the phone for over and hour with alternating team members - some friendly some taking offence when asked 'is this a scam' - working the victim to keep them bamboozled and compliantly confused.
I wonder if a central register could be created that money transfer businesses and banks used as part of their KYC when opening accounts so that vulnerable people and those especially at risk of fraud and impersonation could voluntary register so that attempts to open online accounts in their name would automatically be declined.
If there is someone vulnerable to telephone or online fraud in your life, give them this advice:
No bank will ever ask you to move your money in order to keep it safe.
No company will phone you to warn of a security problem - they will send a free email or SMS - the only ones who can afford to use humans for the phone calls are criminals.
Never give your details to someone who phones you - they should have all the required information already in their systems.
When called by a company unexpectedly, ask for the name of the team or department and then hang up. Phone them back using contact details from the back of your bank card or their website.