A new phishing scam that involves fraudsters offering fake TV licences to thousands of Brits and thereby tricking them into sharing their bank account details has resulted in over 5,000 complaints being lodged by customers to Action Fraud in the last three months.
In October last year, Action Fraud issued an advisory to UK citizens, warning them to stay alert against emails sent by fraudsters offering fake TV licences and asking them to share their banking account information to resolve payment issues, to earn refunds, or to renew their existing licences.
The watchdog noted that such fraudulent emails contained phishing links and once a recipient clicked on such a link, it would open a 'convincing looking TV Licencing website' that would ask the person to either update billing information, renew a licence, or to edit licencing information.
"The fraudulent website will prompt victims to add their payment details, including the Card Verification Value (CVV) code on the back of their card, account number and sort code. With this information, fraudsters could drain bank accounts and commit identity fraud. It may also ask for the victim’s name, date of birth, address, phone number, email and even mother’s maiden name which suggests fraudsters will try to access other online accounts," Action Fraud warned.
Major rise in complaints about fake TV licence emails
The watchdog also reminded people that TV Licensing neither emails customers, unprompted, to ask for bank details or personal information, nor does it offer refunds through emails. Therefore, any email purporting to be from TV Licencing and asking users to share their personal or financial information is nothing more than just a phishing scam.
"Devious fraudsters are constantly using new tactics to trick victims into handing over their personal information, often with devastating consequences. This is particularly nasty as it looks so convincing. We work tirelessly to stop fraudsters in their tracks and to prevent unsuspecting members of the public from falling victim to fraud," said Pauline Smith, Director of Action Fraud.
Between September and October last year, Action Fraud received 2,685 reports from citizens concerning fake TV licence emails and according to BBC, it received a further 5,247 complaints between October 1 and December 31 concerning the phishing scam.
Considering that only 1,614 complaints were lodged with Action Fraud in the preceding nine months, it is clear that fraudsters behind the fake TV licence scam have upped their game and are now more committed in their efforts.
Adaptive authentication will negate the use of stolen credentials
"Much of the success of phishing attacks can be attributed to the low level of security awareness among the user community. Users express shock at how accurately attackers are able to imitate legitimate companies during phishing campaigns. These campaigns prey on the common user's disregard for security warnings and are timed to coincide with peaks in company activity, such as when TV licenses are up for renewal or at a deadline," says Stephen Cox, Vice President and Chief Security Architect of SecureAuth.
"Users are not the only ones to blame. There is a shared onus here, between the users maintaining a level of vigilance during their online activity, companies engaging in reasonable security to protect their users and sensitive data, and the security industry as a whole to continue to raise the bar in terms of innovation and user experience.
"Companies must understand the urgent need for stronger identity security practices, allowing them to increase the trust that their users are who they say they are. Strategies such as adaptive authentication can help fill this gap. These strategies look at all the attributes of an authentication attempt and make a real-time decision based on risk - using techniques such as analysing the users past behavior and location, device recognition, IP address-based threat services, and phone number fraud prevention.
"This analysis is largely performed in the background, allowing corporations to render stolen credentials useless while not putting any additional burden on the user" he adds.