The Blog

Dumb and Dumber: Banking Scam Shows Stunning Stupidity

We are still very naive about cyber crime, as the largest ever UK telephone banking scam makes painfully clear.

A company big enough to have more than £1 million on deposit was apparently dim enough to have a feeble system in place for protecting it against fraud.

We should expect more jaw-dropping examples. Cyber crime is increasingly rapidly, costing individuals and businesses in Britain more than £27 billion a year.

It affects one in three of us now; and a number of firms with professionals who should know better have lost money to fraudsters recently, largely through not bothering to check who was asking for it.

Perhaps part of the problem is still being in thrall to the cyber criminal, seeing them as some sort of latterday Scarlet Pimpernel, a cunning devil masked by clever software but able to steal whatever they want. Wrong, actually.

No particular genius was needed to call up this latest firm, let us call them Embarrassed Ltd as the police are declining to identify them, and even have a digital swag bag downloaded. It only needed naivity on the part of the victim.

A helpful employee apparently bought the line that there was a virus on their internet banking facility. They should transfer their accounts, they were told, via remote access software into holding accounts whilst the problem was sorted out.

The ridiculous simplicity of the scam is the only thing stunning about it. Some cyber crime is highly sophisticated, and there is certainly an invisible, constant, war being fought between companies and online crooks. But most is not in fact committed by master criminals, but master opportunists.

Chance seized rather than plans thought through is why many get caught. But whilst crime is never acceptable, neither is leaving your front door and windows open before going on holiday and not expecting an unwelcome visitor.

Firms have a responsibility to take the very basic steps that even a householder takes to protect their homes.

There is no excuse for a caller to be given access to banking details. None whatsoever. A decent dose of professional scepticism in this case, sadly lacking in many businesses, would have caused somebody to call their bank, and preferably someone they knew, to confirm the request.

Common sense also dictates having a fail safe system to protect assets. Whoever took the call should have asked for a second, and senior, internal opinion about how best to proceed.

I know from my own experience as a forensic accountant that a significant amount of fraud could be prevented by checks, and by having more than one person responsible for the books.

We cannot expect dim behaviour to be policed. Cyber crime is a tough one for police anyway, demanding resources but not often offering the gratification of a visible outcome that the wider public can see.

The lesson from this latest scam is that we need to police ourselves better. There is other evidence, too. The Home Office commissioned a survey from Ipsos MORI in 2012 on public attitudes and behaviour regarding internet security. It revealed some unsettling blind spots.

Whilst the vast majority of internet users (78 per cent) always used security software when connecting to the internet, wider good practice was less well used. For example, only 43 per cent of internet users said they would check a site was secure.

This clearly suggests at the very least some sort of polarisation that needs to be acted upon, a 'naivity gap' plugged.

Meanwhile, the next time a stranger does the equivalent to request that the front door be left open so that a faulty lock of which nobody was aware can be replaced, but only when the house is empty - just press the common sense button.