As a three times winner of the IT Security Journalist of the Year award in the UK, I am used to writing about all kinds of scams. Whilst most of them try and weasel their way into the bank accounts of the victim through purely online means, increasingly the bad guys are turning to 'old school' conman trickery via the telephone. The most common of these in recent years has probably been the rogue antivirus Microsoft support call (using remote access to your PC to install malware and then charge you to supposedly remove it) followed more recently by the credit card bank fraud team call. But now there's a new twist: the dial 999 scam.
My mother is eighty years old and not in the best of health, having been diagnosed with heart failure. She is, however, as sharp as a tack mentally. What's more, being my mum, she has perhaps a better understanding of IT scams than most people of her age. Which is why I was somewhat surprised to get a phone call from her yesterday evening recounting how she had almost fallen victim to a scammer. The keyword being 'almost' as no information was revealed to the scammer that would enable her bank account to be pillaged. Thankfully, some of the advice I have given her over the years stuck. That said, this particular scam implements some new tricks that are new to both me and the police officers who visited my mother following her reporting the attempt (another bit of advice that stuck, always report such scam attempts as it helps law enforcement to paint a better picture of fraud trends).
Here's what happened, by way of a warning to others in the UK with elderly relatives who I would advise they inform as fore-warned is fore-armed:
The caller asked for my mother by name and claimed to be from the fraud squad based at Hammersmith police station in London. The asking for someone by name thing is not new, and scammers will scan telephone directories looking for names that suggest an elderly person (Betty, Doris, Elsie, Ethel etc) as they are perceived as being an easier target. What is new though, is the posing as a police office part. Neither myself nor the police who investigated the incident had come across this tactic before yesterday. The usual strategy when attempting to scam bank account details is to impersonate the bank itself. However, as of yesterday afternoon, the police in South East London had already been called to four incidents of police impersonation using the same scam that day.
The scammer informed my mother that her bank card had been used in a series of frauds, oh the irony, totalling in excess of £2,000 ($3,000). She then went on to ask for confirmation of the bank card number, the security number and password associated with that account. Although shaken by news of the so-called fraud, my mum was not convinced and refused to provide any information as she could not be sure the caller was, indeed, a police officer.
Mum explained that as she could not see a police warrant card for identity purposes over the phone, she was not happy about talking to her. The scammer then pulled the second new attack tactic to emerge yesterday: she told my mother that if she was unsure then she should hang up the telephone and dial 999 (the UK equivalent to 911) and ask for the Hammersmith Fraud Squad. My mum did just that, hung up and called 999 where to her surprise she was connected through to the 'officer' she had been talking to. Actually, what really happened, was that the caller had not terminated the call at her end and just kept quiet until she heard my mum dialling 999. My mother admits, upon reflection, that she heard "some odd tone" instead of the dial tone before calling 999, but didn't think this was odd at the time. I am not a telephone engineer, but my understanding is that BT in the UK keeps the line open for a couple of minutes using something known as a 'Called Subscriber Held' timer so that they can put one phone down and then mover to another room and continue on a different handset without losing the call.
In the heat of the moment, my elderly mother didn't stop to think that a 999 call would not go straight through to the fraud squad desk at Hammersmith police station, and that an emergency operator would respond to enquire whether the caller wanted ambulance, fire, police or coastguard before putting them through. Luckily though, she did stop to think about the questions being asked by the co-called detective and continue to refuse to pass over any banking information. Eventually the scammer gave up, the police were called and my mum phoned me in a very shaken state.
The moral of this tale is that scammers have no morals, and will happily try and con the elderly, the infirm and anyone else who might fall for a convincing story backed up with just a little technical trickery. Remember, personal and financial information should not be given to anyone, including a police officer, who calls or emails to ask for it. Why would they need it? If they really were from the bank or the police investigating a fraud that used that card, they would already have the information and certainly would not need your PIN numbers or passwords. Your bank will NEVER contact you and ask for this information, and neither will anyone else unless they are trying to con you.
