I remember when you switched on the news they’d nearly always be a story of a post office or bank that had been robbed at gunpoint. Since moving to a cashless society, those days have gone but it means crime has moved where the money is: online. In this post, I’m going to describe how easy it is for identity thieves to get hold of your personal information and take control of your bank account. This happened to me not too long ago, so hopefully, you can use what I’ve learnt to tighten your online and offline security.
Identity thieves stole £30K from my Nationwide account
I was aware of identity theft and online crime but I had no idea how easy it was for criminals to take control of my bank account. Below is the timeline of events that was given to me from Nationwide’s security team in relation to the theft from my bank account.
Timeline of events
|4th Sept||Impersonator phones Nationwide call centre but fails security questions.|
|6th Sept||Call centre attempt is successful this time. The impersonator requests a new debit card because their current one “went through the washing machine” and isn’t useable.|
|7th Sept||3rd call made to call centre, again successfully passing security questions. The impersonator claims they have forgotten their PIN so a new one is sent through the post.|
|8th – 13th Sept||PIN and debit card are intercepted in the post.|
|13th Sept||£17K spent on a car using my replacement debit card.|
|14th Sept||£6K spent on another car.|
|14th Sept||£7k transaction declined in Costco (Nationwide are finally becoming suspicious).|
|14th Sept||Impersonator phones Nationwide to successfully persuade them to allow the £7k transaction!|
|14th Sept||I finally receive a call from Nationwide asking whether this is me making the transactions.|
|17th Sept||I had to wait several unpleasant days for Nationwide to investigate before receiving a refund of the stolen funds.|
How thieves got hold of my personal information
When it comes to security the post is considered as the gold standard for sending sensitive information. Whereas, email and digital communication, in general, is considered insecure. This is completely back-to-front, “cybercriminals” are rarely hacking into your email account because that’s extremely difficult! Getting hold of your personal information through the post is much easier. In my case, it’s very easy because I live in a block of flats with a communal set of mailboxes like in the photo below.
These type of mailbox are easy to open (you don’t need to be a professional locksmith). I was shocked to see how easy it is to open these mailboxes after watching a video on Youtube. I want to make clear that in my case it wasn’t the postal service intercepting my mail. Criminals were coming into my building using a fob or shared access code and then opening residents’ mailboxes to intercept mail. You might be surprised at the amount of personal information such as your date of birth and middle name is being sent through the post. Soon after I was targeted a note went up on our communal notice board, highlighting that our entire building was being targeted.
Gangs use the internet to supplement the information they are harvesting on you. There are various sources to obtain this from, in my case they used Clearscore. This website and others like it are an identity thief’s dream companion. With a few pieces of your information, I can access a treasure trove of personal data such as who you bank with, your middle name, all the accounts you have open and your previous addresses.
Nationwide’s security is terrible
You only need to read the above timeline of events to see Nationwide lack competence with regards to security. How is spending £30K over 2 days including the purchase of 2 cars not deemed as suspicious? My experience has highlighted how weak Nationwide’s call centre and systems are. If requesting a replacement card and then PIN because you’ve “forgotten it” doesn’t raise a red flag with Nationwide’s security systems then nothing will.
Lloyds security is shocking too
About 2 weeks after the fraudsters used my card to purchase cars, alcohol and cigarettes I received 12 bank cards all in my name with different account numbers from Lloyds bank. I can only speculate that the original plan was to empty my bank account of cash by making transfers to bank accounts under my name and avoiding daily withdrawal limits by breaking it up into many accounts. Maybe because the cards were delivered late, they thought they’d been rumbled and changed the plan. It does beggar the question, how is it possible for 12 accounts to be opened under the same name and address? I put this question to Lloyds security team but they didn’t have an answer. All they could do was shut the bogus accounts.
How to stop identity thieves
Here’s what I’ve implemented and learnt since being a victim of identity theft. Your chances of becoming a victim will be drastically reduced by implementing these measures, if you’ve already a victim then your chances of being targeted again will also be reduced.
- Create an account on Clearscore, TotallyMoney and Credit Karma. These are the tools identity thieves use. Once you have an account, email them to check no one else has an account under your name. I did this to discover there was another active account with Clearscore and a failed attempted at TotallyMoney. For some ridiculous reason, they allow multiple accounts under the same name + address. After contacting them they have put blocks in place to prevent additional sign-ups under my name and removed the impersonator accounts.
- Go paperless with as many services as you possibly can and stop personal information being sent through the post. You’d be surprised how difficult this is. Banks and financial institutions seem obsessed with sending your personal information through the post.
- Change your mailbox lock. If you live in an apartment building with a shared mailbox area then replace the lock as the chances are it’s useless. I’ve been told “high security” radial keys are more challenging to pick.
- Register with Cifas (fraud prevention service) to combat credit being taken out in your name. If you have been a victim of ID theft then the bank will register you for free, if not the membership costs £25 for 2 years. Identity thieves are aware of the 2 year membership period and once it expires you will be targeted again (this happened to me).
- Leave your highstreet bank. The technology platforms and security of big banks are antiquated. Challenger banks like Monzo and Starling are a breath of fresh air with modern tech and security. One of the best features of these new banks is instant smartphone notifications when a purchase is made. If you see anything suspicious then you can deactivate your account immediately via the mobile app.
- Check searches against your name monthly. Use TotallyMoney to review suspicious soft and hard searches against your name. I have found TotallyMoney to be the best out of the free providers.
- Don’t use your real date of birth online. Big companies are obsessed with obtaining our personal information, however, time and time again they have proved they cannot be trusted with our data. The list of high profile data breaches is endless; Equifax, Sony, Adobe, Ebay, Linkedin, Yahoo, MySpace. These companies are hacked to get hold of your date of birth and other personal information. Other than for very selective organisations don’t give your real details.
- Do an online audit of your personal details. Scandalous websites like 192.com sell your details to scammers and spammers: get your personal information removed. If you’re a director of a limited company then Companies House like to advertise your personal information to the world. You can apply to have it removed but they charge. GDPR doesn’t apply to the UK government for some reason!
Security within the financial industry is shocking and “online gangs” take full advantage of this. Identity thieves know all the loopholes either from working at banks, paying for insider information or trial and error. After speaking with Nationwide, Lloyds and the police, it was clear they have no clue to what’s going on. We live in an online world where Google and Facebook frown on privacy which benefits them and criminals. Take back your privacy and make it harder for the thieves.