As Hacker News reported on November 17, Three, one of UK's biggest mobile phone operators, has been hacked. Initially, it was thought that the personal information and contact details of 6 Million customers had been stolen.
The hackers are alleged to have gained access to a phone upgrade database containing account details, which it is feared could be used by fraudsters to target Three mobile customers .It is believed that the hackers used the database to find customers eligible for handset updates and then placed orders for the new phones, intercepting the parcels as they arrived and reselling the stolen phones [Source: The Register].
According to media reports, including some citing the National Crime Agency (NCA), the computer hackers used an employee login to gain entry into Three's database. Three's CEO, David Dyson, has been reported in The Register as saying that the primary purpose of the attackers was not to steal customer information but was criminal activity to acquire new handsets fraudulently. He states that information from a total of 133,827 customer accounts was obtained, but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the Three upgrade system in question [Source: The Register] However, there has been speculation online that names and phone numbers could be used by scam callers to convince customers that they are calling from a bank or phone company, requesting account numbers and security details.
Spear phishing possible using stolen emails
Three has confirmed that the data accessed included names, phone numbers, addresses, dates of birth, and, according to The Telegraph, "some email addresses". This creates another risk for those affected, since, if fraudsters know your email address, it is possible that in addition to phone scams you could become the victim of a 'spear phishing attack'. In this type of fraud, an email arrives in your inbox from an individual or business that you know, asking you to provide - for what often seems like a plausible reason at the time - confidential information such as payment and/credit card and bank account numbers, security codes, usernames, passwords, and the answers to security questions.
Confidential data makes you trust scammers
If only a few people know your email address, you are more likely to trust the email and supply what the fraudster needs to make unauthorized purchases on your account or transfer cash to an account they have set up to receive it. The email itself can appear convincing with well-formatted html layout, corporate logos, and links to fraudulent websites set up by the scammers with forms to enter confidential data that are as professional as the real thing. It's hardly surprising then that spear phishing is a fast growing cyber threat according to Symantec’s latest Internet Security Threat Report.
To many cyber security professionals, this type of online phishing crime is all too familiar.The National Fraud Intelligence Bureau (NFIB) and Get Safe Online reported in 2015 that phishing scams cost the UK £174.4 million. This may be due to the relatively low level of awareness of the cyber threat among consumers and in some organisations, especially those that do not provide employees with cyber security awareness training. Social engineering phishing tests conducted on behalf of companies by cyber security consultants like 7Safe have shown that alarming numbers of staff open fraudulent emails and click links.
Mobile users worst affected by phishing emails
Mobile users are especially vulnerable, as IBM showed in a report published in 2011. They found that as soon as a phishing website is broadcast through fraudulent email messages, the first systems to visit it are typically mobile devices. This makes sense since mobile users are “always on” and are most likely to read email messages as soon as they arrive in their inbox. The annual Data Breach Investigations Report by Verizon says that a staggering 30% of people who receive phishing emails open them.
[Source: Verizon's 2016 Data Breach Investigations Report]
Most fraudulent emails call for an instant response. For example, they usually claim that suspicious activity has been detected in your account and that immediate action is required. Most victims who fall for this ploy will visit the phishing site quickly. The first couple of hours in a phishing attack are therefore critical to the success of the fraud. After that period, many of the attacks are blocked by phishing filters or taken down.
To quote Tony Neate, Get Safe Online’s CEO, “Social engineering is becoming ever more targeted and personal, which is why it’s no surprise that the number of cases is on the rise. What’s worrying, however, is the complex nature of these scams and how they tap perfectly into feelings that make us panic – if we get an email purporting to come from someone we trust (such as our bank) about something that is emotive to us all (money) and then demand that we act urgently, it’s almost like the perfect storm.” [Source: Think Twice Before You Act: Warning from Get Safe Online as Reported Phishing Scams Rise by Over 20%, Get Safe Online.]
Analysts expect 50% of e-commerce transactions will come from mobile as consumers use the convenience of mobile in the run up to Christmas to make timely purchases. How many of these one wonders will come from fraudsters whose phone scams and phishing attacks have netted them consumers’ payment card account logins, passwords and security codes? Hackers and scammers look set to have a bumper Festive Season!
# # #
Read about Phishing Tests and Cyber Incident Response here:
Organisations can spend large amounts of money protecting the IT infrastructure on which the information is stored and processed, but sometimes overlook the weakest point of the system - the users. Test to see if your staff are likely to open suspicious emails and compromise your security:
How you respond to a cyber security incident determines the final outcome. 7Safe’s expert CSIR team can help your organisation to take the right steps before your organisation suffers a breach:
Need expert help now? Talk to our advisers in confidence on
+44 (0)870 600 1667