/ Money, Shopping, Technology

Is it too easy for fraudsters to steal our identities online?

Fraud in light bulb

ID fraud isn’t a new problem. We all know we should shred our financial statements, lest a fraudster raids our bin. But with our lives moving online, there are lots of new opportunities for criminals to get our personal details.

And fraudsters can often access our details without needing to get their hands dirty.

Online ID theft on the increase

According to fraud prevention organisation Cifas over 80% of all identity fraud was perpetrated online in the first quarter of this year.

Security experts say you should make sure you keep every piece of software on your computer up to date, not just anti-virus software. Criminals can hack into your computer by exploiting weaknesses and loopholes. And once they’ve done that it’s possible for them to see all of your documents and/or monitor your online activity.

So next time a software update pops up on your screen, rather than feeling irritated and ignoring it (I definitely speak from personal experience here!) make sure you do it. And for anyone who uses apps on their smartphone the same thing is true.

This is not to mention the whole host of vishing and phishing scams that we’re all often exposed to where fraudsters try to trick you into revealing your details over the phone or via email.

And the old fashioned ways are still happening too, so advice about shredding documents and making sure you update your address when you move house remains true.

Protect your details – online and offline

Although you can usually recover any financial losses, and get corrections made to your credit record once you report an incident of fraud, this process can be time consuming and distressing. So it pays to be vigilant with your personal details whether online or offline.

I’m interested in hearing from people who’ve been a victim of identity fraud. What happened and did you ever find out how the fraudsters had managed to get hold of your details? And if you haven’t been a victim of ID fraud, do you have any tips or advice for others?

Useful links

How to get your money back after a scam


The only incident of fraud to affect us was when Everest were fitting new windows in our house and we were due to pay them by card. Halfway through the fitting the bank’s security people contacted us to ask had we ordered £1200’s worth of vitamin tablets. When we told them we weren’t that keen on glossy coats and shining eyes they told us they would cancel the card immediately, but allowed us to pay for the windows prior to cancellation.

This was not, however, from any sort of virus (we use Macs only and there still hasn’t been an active virus for Macs used) but it seems that someone involved in an online trading incident had appropriated our details and was using them . Shortly afterwards, the banks introduced the ‘Verified by Visa’ system and we’ve not had another incident.

But it makes a lot of sense to check bank statements regularly, always log out of your online bank account (never simply close the window), only use banks with discrete keycard security features, use a dedicated browser for all banking transactions and never, ever log onto your bank on anyone else’s computer, especially and specifically a public one. I also avoid public Wi-Fi, for the same reasons.

In respect of Identity fraud generally, we physically burn all our details on letters, parcels, etc., but the online world means – as you point out – it’s so much easier for them to get at your information. Phishing scams, once the preserve of the semi-literate Nigerian-based gangs, are now becoming extremely sophisticated, and we have to change the way we deal with all types of communications from ‘official’ bodies. As I’ve said elsewhere, one very large warning sign has to be if you are ever asked to do anything urgently. In our family, the only person who has that right is a member of our immediate family. Anyone else who contacts us for anything that might possibly involve us agreeing to doing anything at all has to wait. It’s a very simple strategy, yet we know these criminals are adept at exploiting the natural human tendency to want to help immediately.

The other thing that we need to do is specifically in regards to email. Emails can arrive with very ‘official’ looking addresses, but for the criminal or even the opportunist advertisers, concealing the real email address is a doddle. So our rules for dealing with emails are as follows:

1. If any email arrives asking you to do something quickly, don’t. Wait and discuss the email with other people.
2. If an email doesn’t address you by your name, be very, very cautious, even if it appears to come from a company you know well.
3. Use disposable email addresses when initially contacting companies. There are several companies that will provide email addresses, which you can then adapt. For instance, you can open a Gmail account called ‘fred_bloggscleaningservices.@.gmail . com.” That way you’ll know exactly who has that email address so when spam arrives using that address you’ll know who’s to blame.
4. Use your Email client to reveal the address. If an email arrives you weren’t expecting asking you to do something, then either by passing your mouse cursor across the address or by using your browser preferences to reveal the address you can see who it’s really from.
5. Finally, we’re always, always wary of strangers offering free lunches. Income tax refunds, errors meaning we’re due rebates, anything – in short – saying someone want to pay us money. Rule 1 then applies.

Finally, it’s a really good idea to tackle anyone you might know through a club or society who sends emails out to everyone, with all the members’ address on the “CC” line. Ask them if they could put everyone’s addresses on the “BCC” line instead. They don’t need to put anything at all on the “TO” line, or the “CC” line.

The reason for this is that it only takes a single member whose computer has been compromised to open everyone’s email address to Spam. Many of the most common viruses simply use your computer to send all the information in your address and email files to some hidden destination.

It’s a little lonely in here…

@carneades I’ve tweaked the title to see if we can get a few more people here. 🙂

Excellent. I’m Ian, BTW, Patrick. Carneades is my alter ego (tights, cape – you know…)

True, but to alert you with a mention in your profile, we have to use your original username. Now back on topic 🙂

Maybe it’s quiet because many of have been lucky enough to avoid problems. I do hope so.

You have given us some good advice, Ian.

Thank you, Sir :-))))

Hello lo lo lo o (echo).

This HMRC site has a detailed list of all the bogus email addresses scammers and phishers use to try to get your details.

I don’t know if I’ve been targetted for fraud, but suspect it, based on three potentially totally separate issues:
1. We started receiving packets of very low value items from different parts of China and Singapore, all address details correct except that the name was Arturas Sausktys (and no such named person lives at our house). Coincidentally (?) these are my wife’s initials.
2. We had a phone call seeking confirmation of information they already had, my name, my address and that I’d had a mortgage. Expecting a call from the bank I acknowledged these details were correct at which point they ended the call.
3. A recollection from a BBC4 money box programme abpout a scam targetting people with paid up mortgages and houses not on the Land Registry whereby the scammers registered the property and sold it under the noses of the owners. Anyone can find if properties are registered on the Land Registry website. Armed with ID details gleaned from Faceboook or whatever you could imagine this could work.

What we’ve done is to return all the items ‘Not known at this adddress’, register the issue with Action Fraud, checked all bank accounts and the Deeds Store and instruct our solicitors to register our house. Maybe I’m paranoid but maybe this might prompt others to make sure you’re not at risk.

It reads as if you are doing the right things here and registering the property is something we also recommend. Property fraud by it’s very nature can often start with ID fraud so it is important to ensure your personal details are secure. GOV.UK carries some helpful advice on how to protect your property from fraud and once registered there are some additional options to consider inc our free Property Alert Service, registering alternative contact addresses and if appropriate a restriction on the title as well.

I wonder how many people in the Plymouth area fell for this email I have just received. I am not Ms Annette Watson but the email address seems to be from a gov.uk which we are told we can trust. The attachment that was disinfected by Kaspersky is a .doc not a .pdf. I have edited the addresses and phone numbers with spaces and O’s for 0’s.

SENDER: CivicaReports @ plymouth.gov.uk


From: Plymouth LIVE SYSTEM (New)

To: Ms Annette Watson

Please find attached your invoice for payment in accordance with our agreed terms and conditions.

The invoice is sent in PDF format. Double click on the attachment to open the file.

PDF files require Adobe Acrobat Reader to view them. Download Adobe Acrobat Reader
free of charge from the Adobe website at www . adobe.com/products/reader

For enquiries specifically relating to this invoice, please e-mail : incomes @ plymouth.gov.uk

This e-mail is confidential and intended for the exclusive use of the addressee.

Any views or opinions expressed in this e-mail do not necessarily represent those of Plymouth City Council, and are not to be relied upon without subsequent written confirmation by an authorised representative. If you are not the addressee, any disclosure, reproduction, distribution, forwarding, or other dissemination or use is strictly prohibited. If you have received this e-mail in error please notify the Plymouth City Council Transaction Centre (incomes) helpdesk on O1752 3O4443

Plymouth City Council, The Civic Centre, Armada Way, Plymouth, PL1 2AA.

Telephone : O1752 668OOO Website : www .plymouth.gov.uk

If you Google “Ms Annette Watson” you get (4th item) this link – http://myonlinesecurity.co.uk/plymouth-city-council-invoice-for-payment-word-doc-malware/ – saying

“An email that appears to come from Plymouth City Council with the subject of Invoice for Payment pretending to come from CivicaReports@plymouth.gov.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers”

I hadn’t bothered to Goggle it but it is just one of a load of “invoice” spam I have been receiving lately, many from legitimate looking companies that many people might have dealt with and got caught out by opening the attachments.

I’m curious. I posted the same link but it resolutely refused to post. What does one have to do to get a link posted?

Hi Ian, that’s Paul our developer (he’s done all the amazing work you can see on Which? Convo!) and he’s an admin, so can post links. We have to approve links manually just in case they include malicious stuff like what you’re talking about now.

Ahah. So since he’s posted the link I tried to post, how do I go about posting any links I may wish to post? What’s the procedure for ‘seeking approval’?

Hi Ian, I’d love to have trusted users who can post links, but the system treats everyone the same. A bit frustrating. We’ll just try to publish them ASAP

I understand, Patrick. I was simply wondering what the procedure for submitting these links is. Do we simply post the link ‘as is’ of do we submit to some as yet undisclosed section of the site for approval?

Ah, they just go into our back-end moderation queue. I want you to know that this has happened, as at the moment it just looks like your comment has disappeared.

Happy to talk about this and other issues on this dedicated post to website feedback, so we can keep this discussion about ID fraud on topic: https://conversation.which.co.uk/technology/welcome-to-the-new-which-conversation/

Thanks. I’ll redeploy over there :-)))

UK Banks Halifax and NatWest are among organisations targeted by fake sites that have won SSL certificates from certification authorities (CAs).

Netcraft says certifiers who should know better – such as Symantec, Comodo, CloudFlare’s certification partner GlobalSign and GoDaddy – have handed out certs to sites like natwestnwolb. co. uk. That site’s a faked attempt at luring traffic away from UK bank NatWest’s real online banking operation at http://www. nwolb. com. Another UK bank, Halifax, is flattered by the existence of fake site halifaxonline- uk. com. Someone’s trying to take a bit out of Apple at itunes- security. net, PayPal has to cope with emergencypay pal . net and phishers even think someone’s likely to have such fat fingers that they end up at btintranert . com.”

Meanwhile, from the Regoster:

“UK Banks Halifax and NatWest are among organisations targeted by fake sites that have won SSL certificates from certification authorities (CAs).

Netcraft says certifiers who should know better – such as Symantec, Comodo, CloudFlare’s certification partner GlobalSign and GoDaddy – have handed out certs to sites like natwestnwolb.co.uk. That site’s a faked attempt at luring traffic away from UK bank NatWest’s real online banking operation at http://www.nwolb.com. Another UK bank, Halifax, is flattered by the existence of fake site halifaxonline-uk.com. Someone’s trying to take a bit out of Apple at itunes-security.net, PayPal has to cope with emergencypaypal.net and phishers even think someone’s likely to have such fat fingers that they end up at btintranert.com.”

Meanwhile, from the Regoster:

“UK Banks Halifax and NatWest are among organisations targeted by fake sites that have won SSL certificates from certification authorities (CAs).

Netcraft says certifiers who should know better – such as Symantec, Comodo, CloudFlare’s certification partner GlobalSign and GoDaddy – have handed out certs to sites like natwestnwolb.co.uk. That site’s a faked attempt at luring traffic away from UK bank NatWest’s real online banking operation at http://www.nwolb.com. Another UK bank, Halifax, is flattered by the existence of fake site halifaxonline-uk.com. Someone’s trying to take a bit out of Apple at itunes-security.net, PayPal has to cope with emergencypaypal.net and phishers even think someone’s likely to have such fat fingers that they end up at btintranert.com.”

Because the certification authorities are granting certificates to bogus sites, we’re all more at risk.

“While some of the sites above are chucklesome to a degree, Netcraft notes that “Consumers have been trained to ‘look for the padlock’ in their browser before submitting sensitive information to websites, such as passwords and credit card numbers.” The padlock will appear when sites have a valid certificate, so the errors made by certification authorities lend a little more authenticity to fake phishing sites, no matter how ridiculous their URLs. That authenticity will help those sites to fool punters into inadvertently handing over their internet banking credentials and other personal details, which won’t end well.”

Oh, and thanks for all the good work, Paul.

Absolutely. Thanks to everyone involved. My mental list of outstanding problems is becoming shorter.

Perhaps it’s worth mentioning that we still have a Convo for discussing issues with the new site: https://conversation.which.co.uk/technology/welcome-to-the-new-which-conversation/

To all Amazon customers: I have just received a very convincing-looking email saying that the credit card used on my order number so-and-so has been declined, and will I please visit this link to sort the problem out. I have had genuine examples of this email in the past, and this was a damn good imitation, so I was nearly taken in until it dawned on me that I don’t have any un-paid-for orders open right now. Logging on to the Amazon site proved that the order number was indeed fictitious.


Thanks for the warning Brenda. This scam relies on the likelihood that many recipients will have a number of Amazon orders in progress and will not check the order numbers. I always print off my orders and keep them in a clip to check their progress so I can quickly verify an order number if faced with an e-mail like the one you received.

As a matter of interest did you report it to Amazon? Personally I think that is a waste of time and that the best thing to do with emails like that is to move them into the delete folder immediately and then empty it. If your e-mail service has that facility, marking it as a phishing scam achieves the same effect and additionally it will block any more from the same source address.

Reported to Amazon and blocked the sender. I get the impression from other people I have spoken to that this is not a new scam – just new to me.

It shows how important it is to have both your bank and Amazon websites bookmarked, so you never need (or in fact never should) follow a link provided in an email.

You need to be on your mettle when you shop for anything these days and especially if you are of a certain age with a few grey hairs and wrinkles which you have earned over the years.

Returning a couple of articles of clothing to J Lewis recently as I need to exchange them for a larger size. Unfortunately the larger sizes where out of stock at the branch but having checked on the computer for main stock availability, bingo! yes and arrangements were made for me to collect them from my nearest Waitrose supermarket.

Things were progressing nicely and I was in awe of the efficiency of the staff and their system and proceeded to produce my personal details, name, address, debit card etc until suddenly alarm bells starting ringing when I was asked to provide my bank password. When I queried this stating that I never hand over my bank password to anyone other than my bank. I was informed the bank do spot checks every now and then and I was invited to type my password on their computer but I stood my
ground and declined. I requested a refund for the returned items and as a don’t bank online, wait in anticipation that this shows on my next monthly bank statement.

There was a long queue of frustrated customers that had built up behind me and I was tempted as I left to warn them not to disclose their bank password if asked.

Beryl – It might be worth raising a complaint about this in case there is a rogue employee collecting card numbers and PINs. Less vigilant customers might give their PIN without thinking and months later when the transaction has been forgotten they could find money taken from their account.

As Ian says, you should not even give your PIN to an employee of the bank that issued the card.

I never hand over my bank password to anyone other than my bank. I was informed the bank do spot checks every now and then and I was invited to type my password on their computer but I stood my
ground and declined.

Interesting. And this happened in Waitrose themselves? Just as a point of interest I wonder what they meant by your “bank password”? Accessing your bank account requires quite a bit more than your password. For instance, any half-way decent online banking service has at least three hurdles to surmount before you can get in, and one of those is often a discrete random number generating keypad, so your ‘password’ would be useless by itself.

As an added point, you don’t hand over your password even to your bank, because they don’t need it to access your account. The only similar occurrence I ever encounter is when the Bank’s fraud division identifies an unusual payment on one of our Credit cards and they telephone us and ask for two digits of our personal number, but also tell us some of our personal details, which includes (since I trained them into doing it!) three items on the credit card in the last month’s account, together with dates. However, I’m uneasy about that, now, so I simply tell them I’ll ring them back. I then ring our number on another ‘phone to check the line’s clear, then ring the Bank’s main number and ask to be transferred.

It’s a rigmarole, I know, but it does seem scammers are becoming increasingly sophisticated and we have to devise ever more complex ways of stopping them.

Thinking about it, I note to say ‘debit card’ rather than credit card, Beryl. It’s possible that what they wanted to do was confirm you were the rightful owner of that debit card. One popular scam is for stolen goods to be ‘returned’ to a store for either a refund or exchange (I suppose villains don’t always have the time to avail themselves of a changing room when they’re busily nicking stuff) and inserting your debit card and then inputting your four digit code would go some way to confirming your identity. Just a thought, anyway.

One other thing does occur, Beryl. We have a friend who only used his debit card and would never use his credit card for anything. I pointed him to Section 75 of the Consumer Credit Act which provides a lot more protection for you when using a credit card than using a debit card and he’s never looked back.

Thanks for that info Ian. I always use my credit card when buying anything online but as I purchased the goods in the store I assumed I would be covered by the New Consumer Act and I produced a valid receipt as proof of purchase. The sales assistance took my debit card number and details and I made the point that when shopping online I have never been asked for my bank password. I assume the banking system already checks this with my card and security number and so was at a loss to understand why I was expected to give this to a sales assistant in a departmental store. I decided it was a risk too far to take and that it was safer to err on the side of caution in this particular instance.

Beryl, it seems strange that if you were doing an exchange and no money was changing hands that they should need your debit card details. To verify you were the owner of the debit card I presume all they needed to do at most was to swipe it and ask you to enter your pin number on the reader pad. I have a couple of times been rung on my mobile when I have made a credit card purchase as a security check, but no sensitive information changed hands.

I agree with Malcolm. It does sound very odd. I would have done as you did, Beryl.

To clarify the situation which at the time seemed rather confusing, of the two returned items, neither were available in the J Lewis store in the larger size so an online check was made by the sales assistant who confirmed one item was available from stock but not the other and to save me another train journey to the store I agreed for them to deliver the available item to my nearest Waitrose (as you know is owned by JL) as I could easily drive and park on my next visit. The remaining unavailable item I decided to change for a another of an alternate colour and design in the correct size.

Things started to become confusing when the assistant was arranging the online transition for the remaining in stock item to be delivered to my nearest Waitrose Branch for ease of collection. I gave the assistant my name, address, postcode, mobile phone number and debit card number but definitely not my PIN in good faith, it was when I was asked for my bank password I became suspicious and decided to withdraw and requested a full refund for the two returned items.

I did at least come away with one very nice jumper but still await my next bank statement to confirm whether the promised refund has actually taken place.

The moral of this story is to always try articles of clothing on before purchase as sizes can vary according to changing design and fashion and your usual size is not necessarily going to fit.

Came into this conversation via the Which report on shredders. My local council, Havant Borough, very helpfully will not accept shredded paper as recyclable. Guess it reduces their out-sourcing costs if their chosen recycle company can go through the recycled paper and sell on our personal data! Has anyone else got such a security-conscious local authority?

Dave says:
2 March 2016

Yes, my council also officially excludes shredded paper from its fortnightly waste paper collection – although I am not aware of the collection guys actually refusing to empty a collection box..

I’ve owned a series of shredders over the years but they invariably lasted only a short time and none of them ever worked using the claimed maximum sheets in one pass.

Not willing to pay several hundred pounds for a more robust model I invested £19 in a garden incinerator, I only use for confidential waste, of which at least half started life as junk mail.

However, I live in the countryside and only ever burn when the wind blows any smoke away across open fields and is blowing at a minimum 20mph.

Knowing how unreliable home shredders can be, I used the large office shredder at work for years. I saw it as a perk of the job (the other one being the opportunity to work unpaid overtime). I carried on for a couple of years after I retired, taking a bundle of paper when going for lunch with former colleagues, but eventually decided to buy myself a shredder. It took little time to wreck the first one, even using half the maximum number of sheets. I attempted to fix it, so invalidated my guarantee. 🙁 Then I wrecked the shredder I borrowed from a neighbour. I have bought another one with a two year guarantee and I oil it religiously, but have little confidence that it will survive for long.

Which? recommends a number of shredders but the users’ reviews did not give me any confidence.

As with David (above) we burn. Living in the middle of nowhere on a mountain has its advantages.

I lean towards paranoia when it comes to destroying anything with my details on it. Although my current shredder is just a line-cut, all the shredded paper then goes into my compost mixed in with with vegetable & garden waste. Great for the compost.

Peter says:
29 February 2016

I’m not sure there’s any point in shredding mail that has only your name and address on, and no other details. Most people have that information available to all on the Electoral Register. Or am I missing something?

I actually feel my email address would be more useful to a fraudster, and yet I have to supply that to comment here. Funny old world.

Peter, I totally agree. There are many ways in which you make your name and address public. When you buy online or have a delivery from a retailer as just a couple of examples. However their are two electoral rolls – one available to everyone, and one not, so if you don’t want that information made public then take the option offered.
email address? That can be used to target you with spam and malicious emails but,again, you disclose it so widely I don’t know how you can avoid this. Does anyone?

I wonder why we have to opt out of the standard electoral roll rather than vice versa. Why not put everyone on the edited electoral roll by default?

Back in the 70s I was concerned about the possible danger of credit card details being passed on so I used one card with a low credit limit for virtually everything and kept the card with the higher limit for the occasional item above this limit. Though I have never had a problem, I have continued to use my cards in this way. I use PayPal to purchase goods from eBay to avoid giving my credit card details to companies that I have never heard of.

I wonder if it would be worth using different email addresses for different purposes.

This comment was removed at the request of the user