Here’s how the ‘BT Broadband Security’ scam works – a victim’s narrative

The main reason why there has been no recent activity on For Argyll is because the editor became the victim of a very sophisticated and very plausible ‘phishing’ scam that appears to be doing the rounds.

One consequence is that the normal newsroom system is now toxic and a replacement had to be set up – but all the files and emails are in the quarantined system. So heartfelt apologies for the absence of stories that ought to have appeared; and to those whose emails have gone unanswered – and will remain unanswered until they can be made safely accessible.

We hope it will be generally helpful to have a first hand account of how this scam was perpetrated. Here it is.

The ‘BT Broadband Security’ scam

I was phoned at about 9.45 by someone who said that they were from BT Broadband and their call was in connection with the new fast broadband supply to my area.

What made this immediately plausible was that BT Openreach engineers have been in the village of Furnace, where I live, for some days – installing fibre broadband.

Phase 1 – of what became a two and a half hour phone procedure

This caller – ‘David’ – was Scammer No 1 in a sequence of three. He spoke with an Indian accent. He first asked if I had noticed that my internet speeds had been low lately. I had indeed – but had not complained because I knew the BT Openreach engineers were at work locally and put it down to system upheavals. ‘David’ said that the speed reduction was because of the extent of fraudulent use of my IP address.

My bank’s Fraud Team say that the scammers may well  have caused my internet speeds to drop, in preparation for the call – to add to their apparent authenticity.

‘David’s’ pitch was that in checking out the local users of the service during the process of this installation, BT had discovered some serious anomalies in my IP address. It had been ‘used  many times from foreign addresses’; and that, in getting the new system ready to operate properly, they wanted to help me sort out my internet security issues.

The first thing ‘David’ got me to do was to download an application – join.me – that would help them to help me. I did it [and no one should ever do this sort of thing].

I got an immediate message saying that my screen was being shared.

This was a matter of potential alarm and I immediately said: ‘Hang on. You haven’t told me who my screen is being shared with. This could be an almighty scam. How do I know you’re from BT’?’  This may sound intelligent – but I meant it only theoretically. I had already accepted the call as authentic – because of the local presence of BT Openreach engineers – and saw ‘David’ simply as ignorant in the proper informing of  customers.

His response was that there was no cause for alarm; that my screen was being shared only with the BT team to allow them to talk me through some actions to get my internet security repaired; and that I would be getting an email from his boss, Alex Ebrahim.

That email duly arrived from a btinternet.com address and with the BT logo at the foot. It was little  more than a point of contact and, since I had already assumed that the call was genuine, I did  not even see it, or need it, as a validation device.

Next came some incoherent technical guff about Ofcom checking the BT installation and that if it did not meet the stellar speeds he said I should expect and had to be changed, it would all be done by an engineer and would not cost me anything.

This made no sense –  I put the incoherence down to English  not being the ‘operative’s’ first language. I did ask some clarifying questions which confused him greatly and he quickly put me through to ‘a technician’.

This was Phase 2 – but note that the purpose of Phase 1 had been achieved – the door had been opened for the scamming team to exploit.

As soon as I had downloaded join.me and ‘shared’ my screen, they could see the full details of everything I opened under their long series of instructions.

Phase 2

Scammer 2 – the ‘technician’ – was called ‘Ron Spencer’. He was English, speaking with a generic English voice, no specific regional accent.  He was relaxed, knowledgeable, lucid, methodical and had an easy going persona that rang no alarm  bells whatsoever.

He explained that his job was to talk me through the processes which would identify the weaknesses in my internet security, so that they could help me to secure my IP address and my other online activities which their [‘BT’]  checks had found to  be compromised.

Because the focus was on my IP address, I did  not question why it was any of BT’s business whether my personal internet security was good or horrendous. I just got on with doing what I was asked to do.

‘Ron’ wanted me to check my main online shopping accounts. They would have been seeing every account screen I opened on the major supplies I and most people use for online shopping.

Then he wanted me to check on the security of my digital banking.

When I said that I  had had an earlier problem [not security related] with my digital banking and had  not reapplied for the service, he said not to worry, he would talk me through that.

He actually talked me through a re-registration process for online banking – during which the scammers would have seen me enter – and access – a lot of immediately useful personal and financial detailsg

This included the new Customer Number the bank allocated to me during the re-registration.

He knew a lot more than I did about that digital banking system – including the fact that the Card Reader you apply for to assist your use of digital banking to pay bills online is simply a device capable of accepting any card – and is  not tied to a specific  account.

The point of this was that it was then possible for me, under instruction, to use my partner’s Card Reader and put my card in it, validating that with the new Customer Number I  had been given – and they had seen.

Then it was time for me to call up my account summary – which, since we have a separate joint account for household expenses, allows any of us to see all of the individual accounts held by each named individual on that joint account. [This is a separate issue of concern to me about my bank’s normal procedure and one I had recently become aware of for other reasons.]

At this point, the scammers could see my account summary list, with the sort codes, account numbers, account types and account balances of each member of my household.

I was asked to check out my own account to see if there had been any unauthorised spending in the past month. I carefully checked each item  – unwittingly giving them plenty of time to see all of the detail.

The need to explain – which is in my  nature as well as part of what I  now do, led to me helpfully explaining why there were several accounts listed; and that at this point I would need to get my sister to come and check the activities on her personal account – which I then did. There was nothing strange that either she or I could detect on any account.

The pace of progress through the matters I was instructed to check was slow and measured. Now I realise that, once the door had been opened and the key information exposed, this pace was designed to allow the scam team to get busy at once – while the long call proceeded.

The snail’s pace was clearly [and successfully] designed to keep me occupied and leave me unfree to start making any premature enquiries I might suddenly have been minded to make.

I know now that some of the four attempts to take money from our accounts were made during the call.

Eventually, after ‘Ron’ had talked me through everything he wanted to ‘help’ me check out, he said he was now passing me on to his supervisor, Alex Ebrahim, from whom I would already have had an email and who would talk me through the  last technical procedures to secure my online activities.

I had been so impressed with ‘Ron’s’ knowledge, patience and forensic thoroughness that I asked him how I should go about registering officially my positive rating of his conduct of the procedure. [It’s my habit to do this for Customer Service staff who are first class at their job and who can be underrated in what is a very important connection.]

‘Ron’ seemed surprised – and rather amused somehow. I put this down to embarrassment at praise – now I understand how hilariously ironic my response will have been to him.

He put me through to ‘Alex’ with his own warm thanks for my assistance – a second irony only recognisable after the event.

Phase 3

On to Scammer 3 –  ‘Alex Ebrahim’ – an Indian voice, much less coherent and focused than was ‘Ron’, the key class act of middle-man in the operation.

‘Alex’ was to take me through the technical process of identifying and trying to correct the claimed multiple breaches of my online security.

His real job was to take up more of my time, allowing the scam team to make the subtractions  from the accounts of which they now knew so much; and to keep me occupied until they had done so.

His job may also have been to cream off some more money in a secondary scam.

He directed me to open an online application from ‘MacPaw’ called ‘CleanMyMac 3’; to choose the free download version; and to set to to scan my system for mischievous invasions.

First, its scan returned a horrifyingly long list of red headlined ‘errors – andfn tthen ‘.

Then it began to search categories of these errors – at which point it declared that it had failed and could  not complete the scan.

Alex said not to worry, just to try it again. This, of course, kept me tied down for longer and not thinking beyond the immediate task to be done.

CleanMyMac 3 failed at the same stage for a second time.

‘Alex’ then said he recommended buying the full version as it was important to get my compromised system cleaned. He told me how to get back to the page offering the choice of the free download or the full version.

The full version required licenses to be bought for the number of computers in a household. We have four, one a seldom used older desktop machine, ‘Alex’ helpfully suggested that dfor three laptops a licence for two would do [at over £54] since the third machine couold try the free download [which had already failed me].

I bought this licence – and paid for it with PayPal. In this particular circumstance using Paypal now seems laughable,  I prefer it, where it is a payment option, because it seems a  more secure system than is serially entrusting the details of your debit/credit card to sources of unknown integrity.

The later Paypal  notification of the request for payment was to a company called ‘Fastspring’.

After displaying  three new ‘errors’ – of which ‘Alex happened to enquire if any were described as ‘fatal errors’ [one – of course – was], the full licensed versionof CleanMyMac 3  also failed to function

‘Alex’ eventually seemed to lose interest in the need to be sure my system was securely cleaned. He declared that by then they knew enough to be certain that they’d got everything properly repaired.

Then he ended his sign out by saying that the BT system was now finalising the clean up and that I should not use the computer for 45 minutes – giving me a phone number [bogus] to call him or ‘Ron’ at that point, if my system was not behaving normally.

By this time I had been on the phone for over two and a half hours and felt pretty demob happy.

Postscript

My sister immediately put some stern perspectives on my lack of suspicion – all of which suddenly seemed painfully obvious and added up to a pretty dreadful scenario.

I got on to BT Openreach – who heartsinkingly confirmed they had no employees called ‘Alex Ebrahim’ or ‘Ron Spencer’; and volunteered that the company had made no phone call to  my home number for at least a month.

I got on to my bank’s Customer Services department and then to its Fraud Team.

I was very lucky – undeservedly lucky – that the bank’s own security system had identified as ‘unusual activity’ the requests for payment that had been made to each of four separate accounts – and had blocked payment.

I was also lucky that I although I had recognised the scam too late – I had done so quickly enough to confirm the bank’s concerns in time.

These payment requests were then rejected and the Fraud Team put the matter in the hands of the law enforcement authorities – whatever they can do about it.

Our accounts have been put beyond compromise. My debit card has been cancelled and its Pin number access killed – at my request because I had a horrid memory of having typed it into something [on my shared screen] during that interminable ‘procedure’.

I have been removed from online banking for the time being – but may reapply when my new card arrives. Until then I can get money only in person at my bank branch.

The Fraud team will talk to Paypal and even that amount may be recoverable.

I  have changed my online shopping usernames and passwords. I am arranging for my compromised laptop to be professionally cleaned and cannot use it until that has been done. I am using a light Mac I had recently got for travelling; have recovered my access to For Argyll’s ‘back office’ on it; and have set up an online email account.

This means that I can function within the limits of having access to no records of any kind for the time  being.

The consequences of being suckered in to this sort of fraud tend to run on.

I am embarrassed by my stupidity. Rather than mask it or excuse it, it seems  more useful to be open about the extent of that stupidity – and the reasons for it – as a contribution to greater awareness of now these thieves work; and of how well prepared, how strategic and how painstaking such scams can be.

This is not a full account but I have spared no detail of my own gullibility in this particular scam.

Be suspicious and don’t be ashamed of it.

Lynda Henderson