Scam watch: Ehic scammers steal £135

Many have been tricked into using commercial websites rather than the official website. We have discussed copycat websites in other Convos.

Yes we should be careful in how we use websites and look for GOV.UK websites rather than the first one that shows up in a web search.

I suggest that we need legislation to ban companies that offer alternatives to government services unless there is some obvious benefit to the consumer and that a company has been given a licence to provide the service. Even if a licence is granted the site should be required to display information such as:

Do you wish to apply for a FREE EHIC, with a link to: https://www.gov.uk/european-health-insurance-card
or do you wish to pay £**** for an EHIC (giving one or more benefits that have been confirmed as valid when the licence was issued)

I would also like to see legislation to allow this sort of website domain to be made inactive if it has not been licensed as outlined above.

malcolm r says:

I do not see how we can license anything on a world wide web, any more than we can stop cold phone calls that emanate from overseas. However someone will hopefully suggest solutions.

Which? could perform a useful service by listing all official government sites that provide services to us. Maybe they do, I haven’t looked.

Where a website has been shown to act illegally and deliberately perhaps the credit card companies could withdraw their facility. This could include more than just fake or scam “official” sites – how about secondary ticket touts and those that sell fake, dangerous and poisonous products like Ama………

wavechange says:

Websites can and are removed if they are illegal. I have suggested that sites providing paid-for services as an alternative to government sites must be licensed. Then those that are not licensed could be taken down because they would be operating illegally.

We need solutions that help everyone and not just those who look at the Which? website. The person mentioned in the introduction was a Which? member.

malcolm r says:

But these are not necessarily illegal if they purport to offer a “concierge” service. The post office offer, and charge for, a passport checking service. The very dubious bit is using a deceptive web address. Maybe there should also be a restriction on the way web addresses are given when they mimic official ones?

wavechange says:

I have suggested that sites that offer a an additional service could be licensed if considered to be in the public interest. I believe that websites with deceptive web addresses are already taken down.

alfa says:

I get regular updates from ActionFraud – National Fraud & Cyber Crime Reporting Centre.

They work with Neighbourhood Watch in your area to keep you informed of the latest scams plus any dodgy goings-on in your area, how to handle situations, keeping safe and sometimes ask for help from the public.

Anyone can sign up for free here:
https://www.actionfraud.police.uk/signup

Perhaps in their next Weekly Scoop, Which? could suggest folks sign up to it, as it never ceases to amaze me how people can still get caught so easily.

Some recent subjects:
Fake Amazon Emails
Fake Argos Texts
Keeping your home safe
Keyless car theft
Courier Fraud

Alex Whittle says:

Thanks alfa! I’ll pass on your suggestion. We work really closely with Action Fraud on Twitter, often retweeting their advice and suggesting people use their services.

alfa says:

Thanks Alex.

wavechange says:

It’s good to see an example of how social media can be used to pass on important information. I feel this would be an easy and inexpensive way of informing the public of product recalls, and one that could be implemented now. I’m suggesting this as a complementary approach to product registration.

malcolm r says:

A good link. I get these, alfa, under the auspices of our local police authority. Informative with sensible and useful advice.

Patrick Taylor says:

The story is a little thin. Can Which? explain why they have not named the site to avoid ? Who sent the email, and is a part of a widescale phishing operation, or is the sender privy to EHIC renewal data.

There is nothing in the article to suggest it was search engine originated problem.

The willingness of card-handling banks to deal with this operation indicates an area where consumer bodies perhaps ought to examine the ways this could be made more difficult.

wavechange says:

I wondered too. I presume that the website has been closed down.

It can be interesting to look at page caches if pages have been modified or web archives for historical information, but this depends on a website still being active and you know which one it is.

Faye Lipson says:

26 July 2018

Hi Patrick,

Good questions. This article is an abbreviated version of my Scam Watch column in Which? Magazine, which goes into more detail on how the scam worked.

It’s not clear whether the email was a generic attempt at phishing which simply got lucky, or whether Mr Winterbotham was targeted by someone who had actual renewal data.

I put this very question (along with others) to the site that emailed him but didn’t receive a response. For legal reasons this also meant we couldn’t name the site.

However there are hundreds of such ‘copycat’ sites out there and there’s no need to list them – the only link anyone needs is the one to the legitimate site, ehic.org.uk.

User 66219 says:

This comment was removed at the request of the user

alfa says:

I was on The Telegraph website earlier today, when it turned into this nasty little screen…

It appeared to be a warning from MS Security Essentials on a website safety dot microsoft dot com

The screen seized up so the ends of the sentences are missing but:

Your system is infected with (3) viruses!
Your Windows 7 is infected with (3) viruses. This pre-scan has found traces of (2) malware and (1)p….
spyware software.
Removing the (3) viruses is urgently required to prevent further system damage, loss of apps, photo…..
data. Traces of (1) phishing / spyware were found on your Windows 7 computer.
Therefore personal and bank information are at risk and might be stolen by cyber criminals.
1 minutes and 56 seconds remaining before permanent damage is done. Click on CONTINUE to do…
and get immediate help.

Then a pop-up entitled Message from webpage
⚠️ Warning!
Windows is infected with viruses and other harmful applications.
Viruses must be removed and system damage should be repaired.
It is necessary to perform virus removal immediately, please go ahead.
**When you leave this page, your Windows remains damaged and vulnerable**

🤔 ⁉️⁉️⁉️

I wonder how many people would panic and hit Continue? This is probably ransomeware involving expensive phone calls or paying to remove it.

Hopefully by disconnecting instantly from the internet and not hitting continue I am safe.🤞 I have done a full scan and checked everything out I can and seem to be okay. I hope Kaspersky would have stopped it installing if it had tried but surprised I didn’t get a warning.

wavechange says:

I have never needed to do more than quit and restart my browser when seeing that sort of message.

User 66219 says:

This comment was removed at the request of the user

alfa says:

I have never had one of these before. I have wondered how people get into the position of having to pay to remove popups that demand money for removal.

Quite easily if it appears to come from Microsoft.

alfa says:

The word fly or f1y is in the URL, I took a copy of the screen.

Kaspersky is Internet Security version.

User 66219 says:

This comment was removed at the request of the user

DerekP says:

alfa – thanks for posting this.

I stopped using Windows 7 for home use about 6 years ago, after similar circumstances tricked me into “authorizing” a virus onto my main PC.

I think these attacks are very common – some family members have also suffered from them on Windows 7 & 8 systems and, most times, ended up paying local computer shops to clean up and re-install Windows.

It was interesting to hear that, even though you had good security software, the attack’s “hurt & rescue” screen was able to appear.

Where I work, we all now use Windows 7 and we seem to have very good security, so problems like malware infection are rare (but many websites and some emails are routinely blocked). And, of course, ordinary users do not have “admin rights”.

For modest home uses, I don’t think there is much need to use Windows at home.
Over the last few years, I have set up some family members to use Linux rather than Windows.

Linux cannot fall prey to traditional Windows executable viruses, but it can be vulnerable to attacks within web browsers. So far, none of those has caused any serious damage.

Also, even if a Linux system does get corrupted, it usually only takes about 20 minutes to completely re-install the OS from scratch.

We also now have one Chromebook and it is an excellent tool for general internet surfing. I’m always surprised that Which? don’t recommend them more for this role.

User 66219 says:

This comment was removed at the request of the user

alfa says:

Here is an image showing how realistic it looks. (Sorry you can’t see it Duncan):
.

User 66219 says:

This comment was removed at the request of the user

Ian says:

I got one of those – on a Mac…

wavechange says:

I have seen the odd pop-up but I have had more threats by email containing links that are presumably dodgy. I just look at the preview pane rather than opening the email and then delete the message. None of the threats to damage my computer if I don’t act promptly have materialised.

A web search can produce dodgy links but I wonder how Alfa received a pop-up when looking at the Telegraph website.

alfa says:

I wondered that also wavechange. I had the screen up and was typing a post in the Lobby at the time. I submitted that URL and typed out the one above in the image into Kaspersky to check them out but them both came out clean. There is a possibility that the characters are not as they appear so I could have typed them incorrectly. The screen had seized so I could do nothing with it including copying text.

Ian, Microsoft on a Mac? A bit of a giveaway. I don’t have MS Security Essentials, but I doubt if most users would know that.

Sorry Duncan, what imaging websites can you see?

wavechange says:

If the screen freezes the way of doing a screen capture is to use a camera or phone. That is what I did when my Mac laptop developed a major problem, to show to the guys in the Apple Store.

I’m not sure if I have had the screen freeze with a malicious pop-up. I just quit and restart the browser.

User 66219 says:

This comment was removed at the request of the user

alfa says:

Restarting your computer, could trigger a nasty little bug, so you really ought to at least do a full scan.

I don’t know anything about Macs but the MS registry has ‘Run’ and ‘Run Once’ sections that something could be hiding in. You would hope internet security would pick this up but if you inadvertently agree to something………

With the introduction of GDPR, this could be more of a problem now every website keeps asking you to agree to their terms and conditions. I usually ignore them, but sometimes you have to accept them or leave.

Duncan, can you look at any imaging websites? You could do a temporary unblock.

Ian says:

Probably a false negative, Duncan.

User 66219 says:

This comment was removed at the request of the user

User 66219 says:

This comment was removed at the request of the user

alfa says:

Everything just looks like a search utility Duncan. Although it might identify leftover files, I can’t see it identifying malware.

User 66219 says:

This comment was removed at the request of the user

malcolm r says:

I may be adrift for a while as I’ve just had a bit of good fortune (literally). I have received an email from a Mr Sebastian Matveikova, manager of Bank of Africa BOA Burkina Faso who discovered a fund of $18 600 000 and needed a partner to help him claim it. He found one and is now in S.Korea. The Almighty has approved his actions.

In return for the Almighty’s approval he agreed to set aside 10% ($1 860 000) to help motherless babies and widowers in my country. But to do this he needs a bank account to transfer the money into and someone to distribute just some of the money. I am the chosen one.

Can anyone send me a list of worthy recipients (very short please) so I can distribute just a little of the money. I will also donate some to Which? as a kind gesture.

wavechange says:

Just search for the text and you are likely to find other examples of the scam reported online.

User 66219 says:

This comment was removed at the request of the user

Patrick Taylor says:

1. Can we establish whether the EHIC scam was simply a lucky hit OR has some rogue accessed, or is accessing, the EHIC database. Over to you Which?.

2. The £135 payment involved some email responses which are a little concerning but also might provide clues such as the cardhandler. All of this though anticipates some regulatory body cares, as we have strong suspicions that they do not is it worthwhile consumer bodies looking at the detail and looking for pressure points to make authorities act.

3. On another tack I have for several years now suggested that Which? becomes a much more useful consumer service by basically becoming a safe place, a first port of call, to search before committing cash for passports, licenses etc., using an online pharmacy.

You cannot rely on Google and its commercial instincts, and Wikipedia can be unsafe, so why not a respected body funded by subscribers who will have the correct web address and also useful add on information if this is missing from the target site.

malcolm r says:

Patrick, I also suggested a Which? repository for genuine official sites. I think you have often also suggested a WikiWhich? So much useful and valuable information is either scattered about or lost in the mists of time. I’d support Which? producing this online.

User 66219 says:

This comment was removed at the request of the user

Patrick Taylor says:

Perhaps Duncan you should explain why Which? “has several versions of Google” as it really does not seem relevant to my suggestion that Which? is a resource with valid links.

Obviously locking content added by Which? with an alert for alteration attempts would seem a basic precaution. Given that there is no money involved I am not quite certain why online banking security standard is needed.

User 66219 says:

This comment was removed at the request of the user

wavechange says:

There is a useful repository of official links on GOV.UK: https://www.gov.uk
Just search for EHIC etc.

There seems little point in duplicating information, and getting people into the discipline of searching for official information in one place could help avoid fraud.

malcolm r says:

There are many more useful sites that Which? might list perhaps?

wavechange says:

I won’t argue about that. Which? already has a large number of articles on a variety of topics of consumer interest, presumably chosen on some criteria that we don’t know about. Of course more can be added. Keeping the present information and links up to date is I suspect a considerable undertaking. I wonder if resources might be better used to convince government of the need for an effective Trading Standards service. I’m fairly confident about searching for information and evaluating its likely quality rather than being spoon-fed with what someone believes to be decent information.

I do wish that some of our surveys focused on what we would like from Which? Equally, I don’t like reading reviews that look like sponsored advertising features for products or having links to Amazon or other websites. I’m perfectly capable of comparing prices on websites.

It would be good to have some opportunity to influence the priorities of the organisation.

malcolm r says:

Have you thought of using the Which? Member Governance Committee?

wavechange says:

I’m sure I have made the suggestion there, Malcolm. I have not seen much evidence of our views being listened to.

I am very glad that product safety is a current campaign of Which? but despite a few of us banging on about the need for an effective Trading Standards that will support citizens I don’t see any indication that there will be any improvement.

malcolm r says:

If Which? at least responded to the questions they are asked it would help, wouldn’t it wavechange. I have recently emailed Which? about two issues that bothered me that have not been responded to in Convos. To his credit, George has offered to raise these and other recent unanswered questions, but if I go back I have a lot of them and he is so helpful I don’t want to overburden him and the team.

If I continue to have enforced time on my hands I may well trawl back through the Convos and draw up a list then send it to Which?. Hopefully I’ll find better things to do because I remain unconvinced that Which? are that interested.

Product safety and consumer protection seem key priorities for Which?, and Trading Standards should be the key to unlock this. I do agree with the current campaign, on the basis that standards that should be observed are generally good but we have totally inadequate means of monitoring and enforcing them.

wavechange says:

I have been looking at a recent code of practice on recalls of consumer products.

“Where practical and proportionate and in accordance with data protection rules, producers and distributors should aim to keep records of customers and purchases.”

I think mandatory product registration would be useful but it does not surprise me that there seems to be no mention of this option. The statement above does not give me much hope that we will make progress.

On a positive note, the potential for using social media to inform people of recalls is mentioned. Nowadays there are many younger people who move from one rented property to another and could be difficult to inform of recalls.

malcolm r says:

A variety of contributing organisations have, under the BEIS banner and with BSI’s help, developed the “Code of practice on consumer product safety-related recalls and other corrective actions” . This is issued as PAS 7100:2018.

It says, under 4.4.2.2 “Customer traceability” and the businesses required Product Safety Incident Plan that “Consumers should be asked for their consent to their contact details being recorded…………..making it clear that this is for use only in the event of need for contact arising in respect of product safety”

As I said earlier this PAS is presented as for “guidance and recommendations” and is neither mandatory for businesses not mandatory for consumers to register.

I presume that data protection laws need to be observed. However I would hope that, first, the requirements of this PAS will be made mandatory for all businesses (producers and distributors) involved in specified product groups and that, second, for those specified products purchasers must register their contact details. It may not be possible without a change in the law, and that may not be possible while are subject to EU control.

The problem I see is that reputable business will do all that the PAS requires, and other disreputable businesses will not. Perhaps, like fridge plastic backs, Which? could keep a list of all those businesses that do fulfil the PAS requirements, and note those that do not. Put the latter on a blacklist.

George Martin says:

25 July 2018

Thank you for the kind words Malcolm. I’ve been reading the comments on this convo with interest and have asked Faye if we can get some answers together. There are also, as always, lots of good suggestions here, and I want to reassure you all that they are valued – Convo can be a big job with so much interesting insight and suggestions left by you all every day, but we are doing our best to make sure your voice is heard as high up the chain as possible 🙂

alfa says:

I was checking out Duncan’s suggestion of Everything.

A review on pcmag first has a pop-up:
We tailor your experience and understand how you and other visitors use this website by using cookies and other technologies. This means we are able to keep this site free-of-charge to use.

Please click I Consent below to give us permission to do this and also to show adverts tailored to your interests and allow our third party partners to do the same.

What I find very concerning is how does this pop-up differ from the virus warning I gave above?

Okay, the wording. But scams have a habit of using words to make us believe in them.

By hitting I consent to tailoring my experience, I could just as easily have been consenting to malware. How are we supposed to know the difference?

I ignore most of these requests to agree to terms and conditions, but many sites will not let you continue unless you do agree to them. If you do try and read their T&Cs, they are such a minefield you are unlikely to understand them anyway.

Methinks GDPR needs a rethink. We should have been opted out by default not made to jump through hoops every site we visit.

User 66219 says:

This comment was removed at the request of the user

wavechange says:

I completely agree, Alfa. I hope that Which? will look at some of the examples of what we are being pressurised into agreeing to when using websites. I suspect that GDPR has been used as a way of gaining more information than before.

John Ward says: