UK utility company targeted in identity theft scam

Naked Security reader Carl just reported a refund scam with a twist.

Tax refund scams have become common, and include scams which target several different countries at once. Taxation scams usually rely on some sort of on-line phishing, in which you are encouraged to visit a fake – but legitimate-looking – website to register for your refund.

But this latest scam does it all differently. These scammers are claiming to offer a refund from the utility company British Gas, and the refund deliberately avoids asking you to go online.

To claim the refund, you need to prove identity, so you are asked to fax copies of relevant documentation to the scammers:

I’m sure your first reaction is that this scam has simply no chance of success. After all, who uses a fax machine at all these days? And, of those who do, who would put copies of their ID documents into the hands of an arbitrary third party?

Sadly, the answers are: lots of companies, and many people.

Yesterday, I was at the local branch of my bank to try to sort out some specious transactions. To get a copy of my statement from head office to the branch, the bank used a fax machine. Apparently, this is “for security purposes.”

And taking or requesting copies of ID documents has become commonplace around the world. I’ve seen merchants in the USA do it. I’ve been asked by hotels in Australia to let them copy my ID when I check in. (I politely but very firmly refuse.) I know it is a routine procedure at some pubs and clubs in Sydney to make a high-resolution scan of customers’ driving licences as a condition of entry. Again, all “for security purposes.”

Avoid sharing copies of your identification documents with anyone, unless the law requires it.

In the example above, you’d be passing your personally identifiable information (PII) directly to the scammers. But even if the refund had come directly from a legitimate company, faxing through documentation is always best avoided.

Handing out high-quality copies of your PII is a data leakage nightmare – a nightmare made even more ghoulish by the increasing popularity of cloud-based services.

Your scanned documents (and, remember, modern fax machines are just scanner-computer-printer-modem combinations, frequently with network connectivity) might be held indefinitely, where malware or cybercriminals might get hold of them. They might be archived over the internet onto any number of servers owned by any number of other companies, possibly in other jurisidictions, where malware or cybercriminals might get hold of them.

And in many parts of the world – Asia Pacific, for example – there are no standardised regulations on security standards, few or no requirements for encryption, and few or no rules forcing companies (even multinationals headquartered outside the region) to come clean when data exposures occur.

So always keep the long-term privacy of your PII in mind. If in doubt, don’t send it out.

If you’re concerned about privacy, too – your own and that of your valued customers – why not download our free Data Security toolkit?

Download toolkit