TalkTalk customers targeted by call centre scam

Credit: Piotr Swat/Shutterstock.com

According to a BBC investigation, the fraudsters are working in call centres for large criminal gangs, who managed to obtain customer contact details that had been leaked from a legitimate third-party contractor in India.

With these details, they were then able to convince people that they worked for TalkTalk, with some victims being duped out of thousands of pounds.

However, while this once again highlights TalkTalk's poor record of protecting customer data, other customers with other providers have also been targeted by a similar scam.

Trojan horses

The revelations of this latest TalkTalk scandal came from three separate whistle blowers, all of whom worked in two "front-companies" set up specifically to defraud customers of money.

They testify to working in teams of nearly 60 people, reading from a prepared script intended to quell any suspicion a TalkTalk customer may have had that they were trying to steal money from them.

As they explain, their whole aim was to convince customers that they'd detected viruses on their computers. From this, they'd then guide victims through a procedure they claimed would remove the offending bug, but would actually install a Trojan on their devices.

This Trojan would then allow them to remotely control the targeted computers, which they'd use to gain access to their victims' online banking and make payments to themselves.

One customer reports to having had £5,000 stolen from them using this method. However, the full extent of the scam isn't yet known, so it isn't possible to say how many others have had similar amounts taken from them.

Outsourcing and risk

At the very least, it's unlikely that it matches the scale of the November 2015 hack, which resulted in 156,959 TalkTalk customers having their personal details leaked online.

It also resulted in TalkTalk being fined £400,000 by the Information Commissioner's Office for failing to take "basic steps to protect customers' information", yet in this case it's not TalkTalk themselves who have failed to protect data.

Rather, it's believed to be Wipro, the India-based IT services company TalkTalk outsourced some of their call centre operations to in 2011.

Last year, three employees at the company were arrested on suspicion of illegally selling TalkTalk customer details, although how much data they managed to leak was never disclosed.

Despite questioning on the matter, all TalkTalk could provide us was the following statement, "We are aware that there are criminals targeting a number of UK and international companies, and we take our responsibility to protect our customers very seriously."

Still, what is clear is that TalkTalk continue to use Wipro, and it's precisely the reliance on outsourced call centres that has given rise to this latest issue.

BT and others

And given that this reliance isn't restricted to TalkTalk, customers with other providers have also reported similar frauds.

For example, up until the end of 2016, around 50% of BT's customer calls were handled outside the UK, while today the percentage sits at around 20%.

Because they relied heavily on Indian call centres, and because they still do to a smaller extent, they've exposed themselves to a certain degree of risk.

As a result of this risk, BT customers have also experienced attempted frauds, with the provider issuing a warning last April with regards to customers being phoned by fake call centres.

They noted that fraudsters claimed to be working for other companies beside BT, including Microsoft. However, the method being used was exactly the same as with the TalkTalk scam, with callers telling customers that their computers are infected with viruses and need to be fixed.

This is also what has been confirmed to us by one BT customer we spoke with, Joanne. She told us, "Their message was that my broadband security had been compromised and I needed to listen carefully and follow their instructions on my computer and they would fix the problem."

However, in contrast to the unlucky TalkTalk customers who were defrauded of money, Joanne was suspicious enough not to go along with their ploys: "We did not get to details of financial payment as my scepticism brought things to a close before we got there".

Nonetheless, despite avoiding the loss of any money, Joanne confirms that such attempts are still ongoing today, with the last one occurring "just a few days ago".

In the face of such threats, BT published a range of tips on staying safe against fraudsters. These include:

• Never offer private or personal security information to unsolicited callers (even if they quote your account number)
• If a caller claims to be from BT and you are concerned, ask them to leave notes on your account and you can then call BT on 0800 800 150 to confirm the call is genuine. Always check that the phone line has been cleared by the fraudsters and you are able to dial out as normal.
• Never provide personal information, such as credit card or bank details, to an unsolicited caller. BT will never send you an unsolicited email asking for personal/private details or banking information.

This is all sound advice, especially since 92% of internet service providers report experiencing cyberattacks regularly, with 31% experiencing them daily.

These attacks are in addition to call centre frauds, underlining the often staggering scale of the threat posed to ISPs, and why their customers must unfortunately be vigilant at all times.

Have you been targeted by call centre frauds? How did you or your ISP respond to them? Share your experiences by leaving your comments in the section below.