TalkTalk, one of the UK’s biggest Internet service provider, has just been scam-scammed. The initial hack took place during the Christmas holidays of 2014, but the four million (and counting) customers are still reeling from the attack. A standard phishing scheme, it’s been announced that the actual breach happened via a third party vendor. Millions of pieces of sensitive data were stolen, including names, phone numbers and addresses. In late February 2015, TalkTalk confirmed that once again, hackers are after their customers.
So far, “thousands” of TalkTalk customers are being scammed into dishing up their sensitive data and/or downloading malware. TalkTalk has announced that they don’t know exactly how many customers have been impacted. However, the good news is that no hyper sensitive information like birth dates or credit card numbers have been stolen. Plus, their business clients are in the clear (so far) and only personal usage clients have been tapped.
A Valiant Effort
With the first TalkTalk hack in December, a number of customers knew something was up. According to The Guardian, over 100 customers were called by a call center in India, and it seemed the callers were trying to gain their trust while phishing for information. According to one customer who received a call, the “caller was obviously from India and his English was poor. (He) claimed he was from TalkTalk and when I queried this, he reeled off my account number plus name and address.” Of course, being “obviously from India” or anywhere else isn’t grounds for knowing whether or not a person is a TalkTalk employee, but TalkTalk did confirm they didn’t make those calls.
Phishing scams are fairly common in the world of breaches, and it can take just a few minutes to get results. Google reports that phishing scammers are getting more sophisticated and better at targeting. It’s no surprise they’re becoming more and more common. Plus, just because hyper sensitive data isn’t being rampantly stolen, that doesn’t mean some customers aren’t out thousands. The Guardian notes that in February, “at least one customer” was phished for $3,000: Graeme Smith.
According to Smith, someone allegedly from TalkTalk’s fraud department called and managed to convince him to download software—this allowed the fraudster to control Smith’s computer from afar. “He said he would transfer the call to the refund department who would arrange compensation of £250 for the inconvenience of being hacked,” says Smith, who was then given a passcode to claim the credit. “I hadn’t much experience of using these codes before and when the message came through, I viewed it quickly. The amount on the screen was different, but he said this would be because it was in rupees. I was panicking and feeling extremely anxious about getting threats to my computer sorted so I passed on the OTP code to him.”
So far, Smith says his bank holds him totally liable for the scam. Smith didn’t use a credit card for the transaction, making any fraud protection common with credit cards moot. His bank’s representative says, “While we appreciate this was a sophisticated scam, Mr. Smith gave personal details by confirming the One Time Passcode to the fraudsters and thus validating and authorizing the transfer of funds.”
There may be different laws and regulations with US banks, but so far this particular scam seems to be staying across the pond.