Sophos Cloud Optix
Naked Security reader Carl just reported a refund scam with a twist.
Tax refund scams have become common, and include scams which target several different countries at once. Taxation scams usually rely on some sort of on-line phishing, in which you are encouraged to visit a fake – but legitimate-looking – website to register for your refund.
But this latest scam does it all differently. These scammers are claiming to offer a refund from the utility company British Gas, and the refund deliberately avoids asking you to go online.
To claim the refund, you need to prove identity, so you are asked to fax copies of relevant documentation to the scammers:
I’m sure your first reaction is that this scam has simply no chance of success. After all, who uses a fax machine at all these days? And, of those who do, who would put copies of their ID documents into the hands of an arbitrary third party?
Sadly, the answers are: lots of companies, and many people.
Yesterday, I was at the local branch of my bank to try to sort out some specious transactions. To get a copy of my statement from head office to the branch, the bank used a fax machine. Apparently, this is “for security purposes.”
And taking or requesting copies of ID documents has become commonplace around the world. I’ve seen merchants in the USA do it. I’ve been asked by hotels in Australia to let them copy my ID when I check in. (I politely but very firmly refuse.) I know it is a routine procedure at some pubs and clubs in Sydney to make a high-resolution scan of customers’ driving licences as a condition of entry. Again, all “for security purposes.”
Avoid sharing copies of your identification documents with anyone, unless the law requires it.
In the example above, you’d be passing your personally identifiable information (PII) directly to the scammers. But even if the refund had come directly from a legitimate company, faxing through documentation is always best avoided.
Handing out high-quality copies of your PII is a data leakage nightmare – a nightmare made even more ghoulish by the increasing popularity of cloud-based services.
Your scanned documents (and, remember, modern fax machines are just scanner-computer-printer-modem combinations, frequently with network connectivity) might be held indefinitely, where malware or cybercriminals might get hold of them. They might be archived over the internet onto any number of servers owned by any number of other companies, possibly in other jurisidictions, where malware or cybercriminals might get hold of them.
And in many parts of the world – Asia Pacific, for example – there are no standardised regulations on security standards, few or no requirements for encryption, and few or no rules forcing companies (even multinationals headquartered outside the region) to come clean when data exposures occur.
So always keep the long-term privacy of your PII in mind. If in doubt, don’t send it out.
If you’re concerned about privacy, too – your own and that of your valued customers – why not download our free Data Security toolkit?
No alert Brit should fall for this:
The phrase "government-issued ID" isn't commonly if at all used here.
"Driver's permit" again isn't used – we call it a driving (or driver's) licence.
To me – even though I live in Oz – that is indeed "non-Anglo" terminology, and stands out like a sort thumb.
But lots of UK residents aren't UK-born. And American English can be considered unexceptional in the UK, especially to those who learned English outside the British Isles.
Many of us are used to overlooking (or perpetrating) orthographic anomalies.
(Anyway, what's a company which sells gas doing offering you an electricity refund 🙂
British Gas sell electricity as well. But having dealt with them during my time in the UK I can assure you they'd never ever offer anyone a refund unless you had a gun at their head 🙂
Absolutely. They are far more likely to issue “negative refunds” in my sad and sorry experience with BG. They were by far the worst of a bad bunch of British utilities – totally incompetent most of the time, customer-averse and unwilling to acknowledge or apologise for their faults.
The scammers could hardly have picked a more unlikely source of refunds!
By the way, when I worked in Bristol, a series of annoying FAX calls to my office phone turned out to be from a local bank branch trying to send someone’s PII to another branch: I diverted my calls to the office FAX machine and watched in horror as the printout appeared. The branch apologised and the calls stopped so that part of their procedures was working fine but FAXing PII is hardly what I would call a generally accepted good security practice!
Gary.
You publish an article about personal information security, offer a toolkit, and then require a bevy of personal information. Or is this a test?
Well, we're not asking for things like birthday, address and the like. And you can (as am I sure you found out) enter almost any old tat to get past the form.
Nevertheless, I don't like that form either. I'm going to use your comment to lean on marketing a bit to see if we can get rid of it 🙂
Had to reply. Britsh gas also sell electricity. in fact they are one of the biggest suppliers in the deregulated (privatised) energy market.
As I hope the smiley pointed out, I'm aware of that. It's just seems worth remembering that in a world in which gas companies sell electricity (and vice-versa), and in which an email from a gas company about saving money on your 'leccy bill is not unusual…
…we can forgive people for not caring too much whether a licence is called a license or, for that matter, a permit. (If you're Francophone, for example, the words "driving permit" probably seem to be a much more natural English translation than "driving licence".)
I agree that the language is suspect – it often is obvious to the alert reader that the writer is not a native speaker but don't be too dismissive, most if not all utility (not an English word) companies offer dual fuel tariffs (electricity and gas). British Gas included and many people will have both with one company beause it is usually cheaper than using different providers.
Very true. Even if the copy of your ID is shredded after a predetermined time, most modern copy machines have a hard drive which keeps a copy of all documents it has ever scanned.
And as this video shows, scammers have gotten smart about trying to snap up old copy machines precisely for this reason.
Well, you would still have to be a monkey to fall for this, anyone gullible enough to fall for it is obviously in dire need of a sharp shock to bring them to the reality that is… Dont give people your most precious details unless you are 100% sure it is legit.
I can't count the number of times I was "required" to leave my passport over night at a hotel desk while they "ceck" my details. Well, I'm older and wiser now.
I am sure there is some rule regarding how much UK utility companies can have of your money before giving an automatic refund. Southern Electric gave me an automatic refund for gas of just over £150 and they didn't need to ask for my bank details either!!!
I have a question about identity theft. I am an American citizen but living in a different country. I got married and when I got my new passport I also opted to change my first name as well as my last. I was instructed to get a new social security number, but I never got around to doing it. I have a massive credit card bill in my old name that I defaulted on and have not paid for over a year. If someone were to "steal" my identity of my old name would that identity actually be of any use to anyone?