Spotting a Fraud

The constant  evolution of scams and fraud, both online and by phone,  makes for a modern  game of cops and robbers where – just as one  security breach  is identified – another  weakness  becomes apparent.   I guess it will go on and on(line), just as it has always done, in some form, since money was first invented.   Like most other people I do try to look after my data and property, but there are  a couple of features of online security that I don’t follow.   Perhaps you have the answer.

I just got an email from a financial institution, addressed to me (in reply to a transaction completed a few minutes earlier) and therefore pretty obviously ok.   It wasn’t asking for anything, just confirming some details.   But the thing that struck me was the reassuring note that I could check my postcode at the top of the letter, as proof that this was from the bank in question.  

Now as a layman I can see that to have a correct postcode  strongly implies  that this is not a boiler-room scam, sent out simultaneously to hundreds or thousands of people.   But the thing that has always puzzled me here is this: if scammers are as ingenious and sophisticated as we are (rightly) told, why could they not get hold of data such as postcode?   And if they then used the right one, the person receiving the email would be very likely to believe it must be genuine.

Similarly, we used to be told (and maybe still are) that a secure site will have a little green padlock symbol alongside the URL.   Yes, I’ve seen and trusted that symbol for decades, but again, if everything else can be imitated – apparently with bogus or cloned websites – then why could a scammer not mimic a green padlock symbol?

I’m asking this not in order to criticise the banks or institutions which might be targeted for scams, but simply out of puzzlement.   Of course, there are reasons for criticism – the way that Talktalk were hacked last year suggests pretty basic failings.   In subsequent months I was phoned on many occasions by people purporting to come from Talktalk, but there were always enough clues to show they were attempted frauds.   However, when I raised this with Talktalk I was told that it was simply a fluke that people were using the company name – to which I can only say it’s so odd that no one ever tried to tell me they were from BT or any other company.   I feel pretty sure my name and number, at least, had become available.

Then, very  recently, I rang them about another issue and after a few early questions was asked to go through some “security” steps.   These comprised things like my full address and postcode.   If I were trying to hi-jack someone’s account, the chances are that I would have had access to such obvious details anyway – the same is true for date of birth.   It was just a pity that Talktalk didn’t make use of the excellent new system I had already signed up to, whereby you repeat a phrase so that the unique qualities of your voice are analysed to prove who you are.

So in the case of this actual company, I would have to say that they are responding to a known problem,  albeit in a slightly patchy way.   But there, I’ve got into criticising one company, when all I wanted to do was raise the issue of details (postcode, etc) which allegedly show that a message is genuine when in fact they could surely be part of a fraud in themselves.