Canon Marketing Japan Inc. ESET SPECIAL SITE Canon MJ provides security information for safe digital utilization Cyber ​​Security Information Bureau ESET "Bank account has been messed up": Experience of spoofing damage

It was in August 2020 that Martin Cowl (a pseudonym) heard a letter from a neighbor of a house that once lived in the neighborhood to his former address. When he first heard it, he didn't think of anything. However, when he actually read the letter from a cell phone company he didn't remember, he realized he had been scammed. A strange scammer had a big deal in his name. As soon as it turns out, this wasn't the only damage.

Fraud of personal information has never been easier. With the proliferation of information leaks and phishing scams, and the active disclosure of everyday life on social media, criminals can easily obtain the personal information of others. For example, it misuses fraudulent information in the form of withdrawing from a bank account or securities account, receiving a loan, or stealing a tax refund. According to a recent survey, the damage caused by spoofing crimes in 2020 reached $ 56 billion (equivalent to ¥ 6,340 billion) in the United States alone.

Similar damage is happening all over the world. Martin Cowl is from Germany, but the damage is not limited to his case. According to a survey conducted by the Forsa Institute (a specialized agency for social research and statistical analysis), 12% of German Internet users in 2018 were victims of spoofing. In addition, 10% of victims suffer financial damage as a result of their personal information being stolen or misused. In addition, 80% of victims had the inconvenience of having to repeatedly explain the situation to police and financial institutions.

Martin, the actual victim of how he was victimized by spoofing and how he solved the problem and returned to his daily life to learn how to prevent spoofing and counter criminal gangs. I heard a concrete story from.

Experience of spoofing damage: Martin Cowl (pseudonym)

Last year you were the victim of spoofing. How did you notice the scam?

Martin Cowl: Actually, the first thing that triggered me was a phone call from his former neighbor. At the end of August 2020, I was informed that a letter had arrived at my old address from a company called Simplytel. He was asked if he could throw away the letter, but asked him to open it. Then, it wasn't a leaflet, but a contract I had never signed.

Did you immediately notice that you were impersonating?

Martin Cowl: At first, I thought it was something wrong. However, he soon began to suspect that he had been the victim of spoofing. At that time, I had been away from my old address for three years and had nothing to do with Simplytel. The suspicion turned into conviction because the following week I received similar letters from other companies.

What exactly happened? How was your personal information stolen?

Martin Cowl: I still don't know the details. It seems that someone has abused my old data to sign up for subscriptions such as Netflix and multiple mobile operators on my behalf. It included contracts with insurance companies, and there were a total of eight contracts. Other letters were returned with the statement, "The new address is unknown because the recipient has moved out."

What steps did you take after you became aware of the damage caused by spoofing?

Martin Cowl: When I found a debit in my account that I didn't remember, I thought I had to deal with it immediately. I was worried that a similar letter was not sent again to my old address and that it would continue to be sent. At the same time, I thought I had to file a damage report immediately. How could you tell each company that you were the victim and not the criminal?

My bank account was messed up. Companies that do not have a contract will be deducted one after another. At first I refused to pay, but I was wondering what to do because it continued endlessly. I couldn't find any other way to stop the withdrawal, so I decided to change the bank after all.

I also registered for the Schufa Plus service. (Schufa Plus is a credit monitoring service provided by Schufa, Germany's largest credit bureau.) I was very worried that spoofing damage would affect my credit score. Schufa has a notification service that allows me to be aware as soon as possible when there is a change in my credit score or when I get an inquiry about me.

Did you receive any support from companies or government?

Martin Cowl: The criminal accusation during the lockdown by Korona-ka was, to be honest, the worst procedure. I could only do the procedure online, not face-to-face, and I felt that "nothing was actually going on." I was able to contact the police by phone a few weeks later, and finally I was able to get a reference number and tell the person in detail what happened. I reported the email address, IP address, time of day, online form, etc. used by the criminal, but the investigation was completed in mid-February 2021 without any consultation. It was very disappointing.

At the bank, I was able to cancel a payment I didn't know without any problems, and the procedure was very quick. However, I decided to change the bank just in case, so it took time to complete the procedure. It took 20-30 hours to transfer payments for family accounts, two sub-accounts, two credit cards, and all debit cards.

The most annoying and expensive thing for me was interacting with affiliates. I had to contact each company. Unlike the perpetrator who made a legally invalid "contract", as a victim, I had to prove my legitimacy with customer support. So I encouraged them to connect to the legal and fraud departments to hear from me. It was certain that he would have to deal with debt collection companies and default summons later if he didn't take action and "keep an eye on the ball."

How much damage did you lose in the scam?

Martin Cowl: Eventually, I was able to get a refund from the bank after confirming all payments and contacting the companies that I didn't approve. It was a small expense, except for the time I spent, such as changing banks, membership fees for Schufa Plus, and communication costs for procedures.

Did the spoofing scam cause any problems other than Schufa or the bank?

Martin Cowl: Fortunately, it wasn't a big deal at the bank, but even if I contacted Schufa directly and submitted all the data, the credit score dropped from 99 or higher to 90 or lower. In particular, it seems that there were many inquiries about mobile phone contracts. The credit score calculation is objective so that fraud does not occur, so the victim of fraud does not become friendly. If you tried to get a mortgage or make a big payment at this time, you would have been denied by your credit score. It took a lot of time and effort, but after a while it returned to its pre-scam credit score.

Then did you find out how the perpetrator stole your personal information? Did you carelessly?

Martin Cowl: Unfortunately, I'm not sure how the criminal got my data. Only neighbors know that they have moved to their current address, so it's unlikely that the data came from an acquaintance. We suspect that information containing an old address may have been misused due to a previous eBay information leak.

I shouldn't have been careless. I just used the internet normally. But it turns out that spoofing makes it easy for criminals to steal money. In Germany, it is enough to know your name, address, account number and date of birth to make a personal contract on the Internet. Not only did the online contract not require proof of identity, but I was also surprised by the fact that the company did not verify the validity or authenticity of the information. No company noticed an invalid address or a completely inappropriate email address that wasn't related to me (eg janbaumgaertner1997@gmx [.] De).

How do you look back on the damage caused by spoofing? Do you have any advice on how to avoid damage?

Martin Cowl: What I've learned is that anyone can be a victim of spoofing. Even if you haven't done anything wrong. We do not connect to the Internet without proper security measures, use insecure passwords, or easily provide personal information to campaigns. I also regularly suspend old and unused accounts. However, as a result, they could not escape the damage of spoofing.

But the only thing I can advise others is to check the mailbox often. After moving, ask your old neighbor to check. Prompt response is important to avoid the damage caused by spoofing. Mail sent fraudulently to the old address must be returned to the nearest post office with the note "The new address is unknown because the recipient has moved out." This is the only way to avoid the impression that the sender has been delivered properly.

What are you doing now to protect your personal information and keep it secure online?

Martin Cowl: We are taking all possible security measures. In addition, since the damage, I use the online service haveibeenpwnd.com to regularly check whether my account information has been stolen. And I check my accounts more often than before so that I can deal with fraudulent transactions as soon as I notice them.

How can I protect myself from theft and spoofing of personal information?

The following 10 tips should be of great help in protecting your personal information. Read the advice from ESET Chief Security Evangelist Tony Anscombe.

What should I do if my personal information is stolen or spoofed?