14 DAY TRIAL // Hackers who managed to compromise the computer systems of a third party with access to TalkTalk network are currently leveraging the stolen info to trick customers into providing banking details.
TalkTalk is a large phone and Internet communications provider in the UK, with an estimated client base of four million.
Following an avalanche of complaints from its customers about phone scams during October and December 2014, TalkTalk started an investigation and discovered that a third-party contractor had its infrastructure breached and the attackers stole account numbers, addresses and phone numbers belonging to TalkTalk customers.
In an email warning all its clients about the phone scams, TalkTalk acknowledged the hacking incident and offered tips on how to determine if a caller claiming to be their representative is a scammer.
Victim is tricked into giving OTP, loses thousands of pounds
Records of thousands of customers are estimated to have been stolen and there are reports that some of them got swindled for various amounts of money.
In one case, scammers with Indian accent withdrew ₤2,815 (€3,880 / $4,350) from the victim’s account by gaining their trust with the information stolen from TalkTalk.
According to a report by The Guardian, the victim allowed the crooks to remote connect to his computer and even handed them the one-time password (OTP) necessary for accessing the bank account.
The scammers told the victim that a compromise has been detected at his IP address and a piece of software needed to be downloaded in order to solve the problem. By the time the victim realized it was all a scam, the money had already been transferred to an account from the TransferWise service.
Confirming the call with the company is an effort worth making
In a variation of the scam, the crooks fool the user into purchasing worthless pieces of software claiming to be an antivirus solution, under the pretext that the computer is infected.
Apart from notifying customers of the fraudulent calls, TalkTalk has also taken legal action against the third party that leaked the personal client data.
Security blogger Graham Cluley says that the best way to eliminate suspicion of a scam is to seek confirmation of the call from the company the caller says they represent.