/ Shopping

Scam watch: fake verification pop-up

creidt card

While shopping online, a Which? member nearly fell victim to a sophisticated online credit card scam that none of our experts have come across before.

Member Alastair Robertson told us:

After placing an order with an online butchers and filling in my debit card details, the Bank of Scotland card verification page popped up. I’d seen it before and began to fill it in, but soon realised it was asking for more information than usual. It had boxes for the 16-digit card number, expiry date and security code. 

I closed the pages and placed my order by phone. 

A few hours later, I received an automated call from the Bank of Scotland fraud department. The voice asked for the 16-digit number on the front of my debit card in order to deal with the problem. It told me I had entered this incorrectly and asked for the card’s expiry date. It then claimed I also entered that incorrectly and asked for my sort code. At this point, I hung up and phoned Bank of Scotland directly – neither the pop-up nor the phone call had come from it.’

Our say on fake verification pop-ups

This is a very clever scam that none of our experts have come across before. The pop-up emerged at the exact time you’d expect such a page to appear, and the phone call was well timed, too.

The details needed to pull off this scam may have been obtained as a result of spyware being installed on the member’s PC.

We can confirm that card verification pages and automated calls from your bank rarely ask for additional card details. You should report such cases to the police and Action Fraud.

Have you come across a similar scam? What happened?


Impressive. A very subtle scam and W? deserves plaudits for publishing it. A similar (though not as subtle) scam is doing the rounds with regard to the new Coop membership card.

It seems curious that this new subtle attack has been attributed to spy-ware on the members computer rather than a man-in-the middle attack, or possibly the vendors site has been hacked. Has Which? spoken to the other parties?

I have checked the normally well-informed [i}The Register[i/] and can find nothing on this particular form of attack which is indeed a very subtle.

My first thought was that the butcher’s website had been attacked. If it was the customer’s computer it would happen each time they made an on-line payment via Mastercard or Visa.

A MitM attack can only occur if the ‘man’ in the middle is able to successfully impersonate both endpoints, something that two sites communicating over TLS using certificates from a trusted Certificate Authority render a virtual impossibility. So assuming this was over HTTPS using a modern Web browser I would suggest the issue is most likely on the client endpoint, e.g the victim’s PC

This comment was removed at the request of the user

Don’t agree with you’re experts. More like someone has definitely hacked the butchers website to place the new popup. The new code probably captures all the personal info that the host website displays about you to save you having to enter it. Which is how the fraudster had your name/phone number and know which bank card you’d used.

This comment was removed at the request of the user

This comment was removed at the request of the user

JoeBloggs says:
24 October 2016

If you trust the internet for financial transactions then expect to lose money at some point. Trust no-one. and sorry Duncan but there is no such thing as free that’s why github gets blocked. 99.9% of computer users don’t know how they work or what they are capable of and the other 0.1% are criminals who do and people trying to stop the criminals. Even the police are too far behind the criminals.

This comment was removed at the request of the user

As regards “free software” there are two kinds of “free”.

“free” as in free beer or as in a free lunch: no charge is made for the use of the software, but you don’t get to own the copyright of the version you download and the free version may be there to encourage you to spend money in other ways, e.g. free antivirus software may be there to encourage you to upgrade to a paid-for version.

“free” as in free speech. You can download the software and all of its source code, so you can know exactly how it works and what it does (and see if it contains any malicious code). You can (usually) also modify and distribute copies, so long as you continue to honour original licence conditions, including the ones about releasing your modified source code. You may have to pay for this kind of software – or it may also be free, as in free beer.

Those of us who have to write software as part of our day jobs, do like to take a pay packet home each month. So we generally don’t work for free, even though we may sometimes be able to release free software, when this is consistent with our overall objectives.

This comment was removed at the request of the user

This comment was removed at the request of the user

This comment was removed at the request of the user

Actually Duncan, I did not express any views on github.

All I did in my post above was reply to JoeBloggs, to contribute what free software meant to me – both as an author and as a user.

Regarding open source software I did find a gov.uk webpage that said:

“Where appropriate, government will procure open source solutions. When used in conjunction with compulsory open standards, open source presents significant opportunities for the design and delivery of interoperable solutions.”

and also some 2015 press releases highlighting the acceptance of LibreOffice for use in UK government projects.

A pharmacy rang me to advise I had been over charged . They asked for my most recent CC details so they could give me a refund, then they billed me for a further supply of over priced tablets . Fortunately the Natwest cc were on the ball and charged back immediately, but never take for granted that all cc companies are on your side or that you will get redress from the FSA.

“So, if malware is injected into a process which is already running in the context of the current user, it is easy to access those passwords in plain text.
Moreover, by injecting code into a web browser, attackers can modify the content shown to the user.
“For example, in a banking transaction process, the customer will always be shown the exact payment information as the customer intended via confirmation screens,” said Tal Liberman, Security Research Team Leader of enSilo.
“However, the attacker modifies the data so that the bank receives false transaction information in favor of the attacker, i.e. a different destination account number and possibly amount.”


And it affects all Windows machines. How secure is online commerce?

As a user who is not a technical computer expert am I wrong to trust Barclays Bank online safeguards? I use the card reader to log on along with other security requirements designed by Barclays. Are their methods insecure?

This comment was removed at the request of the user

Key pads (as opposed to card readers) are possibly more secure, since they have on-chip algorithms which calculate a prime number based on the time you use it, the number of times you’ve used it previously and the prime base number in question. Because the internal chronometer on the card is synchronised with the bank’s clocks, you should get a unique code each time that will only work at the time you choose it, or close to that time. But, as Duncan sagely notes, nothing digital is ever 100% foolproof.

The same thing happened to me a few days ago, buying Virgin train tickets. I started filling in the info asked for by what looked like the bank’s card verification box, but thought I’d not seen so much detail asked for previously, so I aborted the sale. When I subsequently tried again, several times, to buy tickets, the Virgin website kept saying there was an error and payment failed. I phoned and Virgin said they were trying to fix website problems. After a day of this I bought through Trainline. I didn’t get a phone call though.
Should I now worry that I have something nasty lodged in my laptop? I’m not techy – most of the comments above mean nothing to me.

This comment was removed at the request of the user

This comment was removed at the request of the user

This happened to me when buying premium bonds from the National Savings and Investments web site. I was purchasing a large amount of bonds so presumed Lloyds (my bank) were being more careful than usual. I have up to date F-Secure protection installed on my computer and have not seen this bank verification request appear with any other on line purchase before or since. Is it feasible the NS&I website has been illegally accessed?

This comment was removed at the request of the user

A ‘retailer’ phoned me and apologised profusely for over charging. ‘Could I please let them have my new CC details so that they could refund me and give a substantial discount on recurring orders?’ They did not refund me. They doubled the the charge. Happily the Natwest proved to be on my side on this occasion They charged back all transactions and reported the fraud.