Know your fraudster:
Types of criminals and what they want from you

By Marianne Curphey

Card fraud is an ongoing battle. On one side are banks and security experts; on the other, petty criminals and sophisticated crime organisations. Caught in the middle is you, the consumer, and in security terms, consumers are the weakest link. To best protect yourself from fraud, it helps to know the kinds of fraud that exist, and how each scheme works.

Security experts are making progress. Card fraud as a proportion of card purchases fell to 6.9p for every £100 spent, the lowest level since 2011 and down from 7.5p at the end of 2014, according to Financial Fraud Action UK (FFA UK). The decline is partly due to banks and card companies becoming increasingly better at detecting and preventing fraud. Their security systems prevented £910.9 million worth of attempted card, online and telephone banking and cheque fraud in the first half of 2015. know-your-fraudster

However, John Cannon, fraud and ID director at credit reference agency Noddle, said in some ways, these heavier defences leave consumers more vulnerable. "As it becomes increasingly hard for fraudsters to bypass controls, they divert their attention to the consumer and use social engineering techniques to gather the information they need, such as phishing emails or [vishing calls]," Cannon said in an emailed response to questions.

Here are six types of fraudsters, and the most common ways they swindle consumers.

1. The phisher/visher.
This is a familiar scam -- you receive a fake email from someone pretending to be from your bank, a utility company, the tax office or some other company you use, such as Apple or PayPal. The sender asks you to visit a false website and log in with your account details, which the criminal then harvests.

Alternatively, they might ask you to send money to help a sick relative, or offer to give you a large sum of money, but only if you provide them with your bank account details so they can transfer the funds directly. According to Kevin Wharram, an independent security expert based in the UK, many of these emails originate from Nigeria, while people who harvest and trade your stolen credit card details are usually from Russia, Romania, and other countries in Eastern Europe.

You might also receive a fraudulent phone call, which is called vishing. The Money Advice Service reported in October 2015 that 63 per cent of Britons had received a suspicious call in the 12 months preceding the report, and 3.5 million people had been victims of telephone fraud since 2010.

Once a phisher or visher has your credit card or login details, they can pass on or sell them to organised criminals online. "It is increasingly hard to tell genuine customers apart from fraudsters because our online profiles of ourselves are easily impersonated," Cannon said. "Technology is also providing more opportunities for fraudsters to exploit and gather the information they need to impersonate consumers."

2. The organised criminal.
Some criminals run specialised hacking forums on the Dark Web (a collective expression for a part of the internet that is not visible to ordinary search engines and where illegal activities and merchandise are advertised) to buy and sell stolen credit card data. The Dark Web requires a network of criminals to pass on links and passwords to access seemingly invisible pages.

"In order to access the Dark Web, you need specialist tools," he says. It requires the user to download software that allows anonymous browsing. The Dark Web holds password-protected data, such as government or company information. Those who can access the Dark Web can purchase a number of illegal items, such as drugs, weapons and stolen credit card data, Wharram says. He says your credit card data might be on sale there for just US$1.

Security expert Pierluigi Paganini, chief information security officer at digital security company Bit4id and author of the blog Security Affairs, says in his blog that the price for stolen card details is variable. Those variables include the card's credit limit, type of card, account balance and geographic location of the card owner.

Organised criminals may also hire specialists who can break into company systems to steal data or hold it for ransom. These are the hackers.

3. Hackers.
Hackers might include malware writers, cyber-hackers or people who specialise in cracking the security or getting through the firewalls of large companies, banks and financial services providers. Cannon says hackers could be organised criminal gangs and terror groups or teenagers flexing their technical prowess from their bedrooms.

"This is what makes it challenging -- the digital world we live in now means anyone can be a hacker with the right knowledge and skills," he said. "The online world provides the protection of allowing hackers to hide and therefore lessens the risk of being caught."

Wharram says that, despite their specialist skills, hackers can be relatively cheap to find and hire on the Dark Web.

"It's a place where organised criminals, who might not have hacking skills themselves, can find people who know how to break into systems and steal data," he says.

Paganini says as more retailers and other online companies collect data about consumers' card use and shopping habits, organised criminals are trying out ways to steal this data and exploit it.

The biggest prize is to hack into a large organisation where personal data is held, he says on his blog. "Access to one of these databases that contains data for millions of cards could open the doors of heaven for a criminal."

Furthermore, Wharram says companies often don't realise they have been hacked until months later, giving hackers plenty of time to mine the data at their leisure.

Wharram also says ransomware -- a malicious programme you accidentally download to your computer -- is on the rise. People often accidentally download it by clicking on an executable file or something that looks like a pop-up ad or a software update. The programme then encrypts your picture or word files and asks for money to unencrypt.

"These programmes target companies or individuals and encrypt and jumble all your data so you can't read it," Wharram says. "Then, they ask you to pay for it to be unscrambled. Often, people do pay because it is their personal computer and all their photographs and personal or financial information is actually much more valuable to them than their credit card details."

4. Skimmers and "insiders".
When you pay for a meal with your card at a restaurant, a server may take your card, check you out and then return it. A dishonest server can steal your card details (including your CVC on the back of the card) by simply copying them down, then either use the card or sell the details to someone else. This scenario is rare, as most places in the UK (but not throughout Europe) allow you to pay at the table, but some restaurants still take your card.

Alternatively, your card information might be read and downloaded by a skimmer, a machine that is sometimes installed over the typical card insertion terminal in ATMs or at petrol stations. Skimmers collect your card number as you swipe. Some skimmers work in conjunction with a camera so a thief can gather your PIN or CVC as you enter it on the keypad.

Wharram says petrol outlets are such a target that he now only pays for fuel with cash to avoid his card details being stolen.

5. "Bumpers".
A new and emerging threat is that of remote theft, in which someone bumps into you in a busy place and takes money from your contactless card without you even being aware of it.

Most cards have a contactless function that allows you to make payments up to £30 without signing or inputting your PIN. You simply touch the card to the retailer's payment terminal and the transaction is authorised.

"On commuter trains, the London Underground or a busy restaurant, someone could bump into you and hold a handheld payment terminal against your bag, pocket or wallet long enough to take money from your card," Wharram says. You might not even notice it has happened, and you might not register the sum stolen right away because it is such a small amount.

For this to work, the thief must be close enough to capture the signal given off by the contactless card. A fraudster may even follow you and observe your habits in advance so he knows exactly where you keep your cards. Though you might notice someone standing abnormally close to you in a sparse area, in a crowded place, you may not think twice about it.

For this reason, Wharram only uses an Oyster Card, and not his credit or debit card, for travel on the Underground.

"It is still relatively uncommon but simple for a thief to do," Wharram says. "One option to protect yourself is to buy a shield for your card which prevents it being read remotely while it is in your pocket or bag."

6. Social media harvesters.
Your social media profile may reveal your birthday, your mum's maiden name, your oldest niece's name, where you went to school or the make and model of your first car. The catch: these are often answers to some of the security questions websites put in place to prevent a fraudster from logging into your account.

"Sites like Facebook are used by criminals to garner lots of personal information on an individual that can be used for identity theft," says Wharram.

"Social engineering is an increasing problem," Cannon said. A hacker could obtain a certain amount of information from social media accounts, he said, then soon enough, the information finds its way onto places like the Dark Web, where it's picked up by other fraudsters. Those fraudsters then use social engineering to get the remaining information directly from the unsuspecting consumer to enable them to commit financial fraud.

"It means we all need to be even more careful about what we're saying on the internet, or even over the phone," Cannon said. "If you're not absolutely sure that the person you're talking to is who they say they are, don't risk it."

See related: Victims of fraud not liable for thief's charges -- usually, Protect yourself from phishing and smishing

Updated: 14 November 2017