This story begins with excuses. With feeble justifications and half-mitigations. It begins this way because, fundamentally, I feel silly. Because I feel like an idiot. Because I was an idiot. Because, perhaps, I want to feel less of an idiot.
Here, then, is how I explain to myself what I did one day last week, the day I very nearly got scammed out of £1,000. The day when I clicked on one of those very obvious scam Royal Mail links that sensible people — people like you — very obviously would not click on.
Excuse 1: I was rushing for a train, after having rushed to get three kids to school. Only half of my brain was engaged.
Excuse 2: The half of the brain that was engaged was already planning the day ahead. Crucially, part of that day ahead had been contingent on receiving a parcel — which hadn’t come.
So when a text arrived, explaining that a delivery had failed, I clicked on it. When it asked for a small delivery fee, I paid it. Then I got on with my day.
Advertisement
Here, you are welcome to call me a fool. I promise you, I have called myself worse. I, like all of us, have received plenty of such texts in the past. I, like all of us, have ignored them — laughed at them even — in the past. This day, for whatever reason, I didn’t.
It was 9.04am on a Friday, and I had just given someone, somewhere, my debit card details.
I know I’m not alone in doing this. Last year the Office for National Statistics estimated there were 3.5 million incidents of fraud in the UK in the year to March, most of which went unreported. We don’t just fail to report fraud, we fail to talk about it — probably because fraud is a crime that preys on weakness.
This is why I am talking about it.
Clicking on the link was very stupid, but it was, I maintain, the only really stupid thing I did. Still, let my stupidity provide you with a cautionary tale, or even a way of satisfying your curiosity about how these scams work.
Advertisement
Seven and a half hours later, I realised what had happened. Sitting at my desk, the bulk of the day’s work panic over, I thought back to that text. If I had been Homer Simpson, this is the point when I would have exclaimed “Doh!” and slapped my forehead.
I opened the app for my bank, Starling, and checked that there was nothing suspicious. There wasn’t. Then I went to the online chat on my phone app to tell them what I had done. I can still see the conversation now.
“Hello,” I said at 4.50pm on the app. “I think I’ve given a scam site my bank details.”
“Hi Thomas,” came the response 15 minutes later. “You’re through to Peter. Thanks for waiting today!”
A few minutes later, my conversation with Peter on the app stopped abruptly. The reason why is that Matt phoned.
Advertisement
“Hello,” he said, “I’m calling from Starling.” I picked up the call and said: “I was just on the chat.” Matt said: “We know. The hackers have access to your app and your phone.
“Can you see a pending transaction for £224?” he asked. I could, it had just popped up — awaiting my approval. “We think it is suspicious,” he said. It was indeed. I thanked him for calling, and said I felt very silly. He chuckled and said there was no need.
Then I had a niggle. “How do I know you’re not the scammer?” I asked. After all, they had my phone number. He said I was right to ask. “Let’s go through the security questions,” he said.
“Can you tell me my recent transactions?” I said.
“Not until the questions,” he replied.
Advertisement
So we did the dance, him saying bits of my address, me completing it. Fine, he said, you’re verified.
He had called me, he said, because the hackers had access to everything on my phone. Starling Bank needed to upgrade the app. Matt said I should change my email password because the hackers had it. When the call was over, he said, I should contact my other bank.
I said “f***”. He told me not to swear.
Still, though, I had a slight niggle. What he was saying didn’t make sense to me. Even if, as he said, the hackers had full access to my phone, they wouldn’t be able to just log into my banking apps — they required a thumb print.
He brushed aside my worries. I didn’t understand the sophistication of the attack, he said. I checked his number, at his insistence. It was Starling’s. By this stage we had been speaking for 15 minutes. He said it was imperative I upgraded my security.
Advertisement
“The hackers are in your bank app now,” he said. He was calm, but authoritative. “We need to send an authentication notification under an alias. It will come from ‘Warehouse Utilities’.” When I clicked on this, he said, it would upgrade the app without the hackers knowing, and kick them out.
• ‘I’m head of fraud at a bank and my identity was still stolen’
• Times Money Mentor: Six Facebook marketplace scams to watch out for
I didn’t really understand. I took the phone from my ear, and opened the Starling app. The notification popped up: “Warehouse Utilities”. I also saw that it required I approve a £1,000 transaction. You need to understand, I’m panicked. I’m worried I’ve compromised all my bank accounts, and all my work. Matt has warned me that the hackers could have got access to the work wi-fi. Still, my stupidity has limits. I’m not clicking on that.
I said: “I’ll call you back immediately on this number.”
“There is a long wait and we can’t guarantee your funds if you do that,” he said. “They may clear you out.”
“That makes no sense, just block transactions,” I said. For the first time, he sounded flustered.
Then I asked: “What were we saying just now on the online chat?”
He said: “You were asking to verify this call.”
I wasn’t. I hung up.
Here is my attempt to reverse engineer what happened. It was, I believe, a total coincidence that the moment I realised my mistake and was on the bank’s online chat was the moment Matt called. Everything that came after was planned. His goal throughout was to sound calm and professional, while making me increasingly flustered. So much so that I didn’t notice that he was “verifying” me more than I was verifying him.
He had my “security details” because — this was another Homer Simpson head slap moment — I’d autofilled my address on the “Royal Mail” page. Part of the verification involved me telling him my bank balance “to confirm it’s you”. So he knew how much I was good for.
There were nice touches too. He could ad-lib — telling me not to swear was genius. This man was clever. He had options in life, but the tragedy is he chose this. Ultimately though, in this instance, his labour was for naught. I didn’t click. Instead I rang Starling — the number of which he had spoofed — and it sorted it all. After seeing how it worked, it seems obviously laughable that the bank would use an approach like his.
So what is the moral of my tale? I wonder how I would react reading this about someone else. Probably I would find the mechanism intriguing. Maybe I would warn elderly neighbours. Smugly I wouldn’t consider it an issue for me though. And yet. In that moment, when I thought someone was in all my bank accounts, all my emails, thinking the whole office might have been compromised by my idiocy? Well, I can see why people may, in a moment of madness, click.
