Peter A Clarke

The Australian Competition and Consumer Commission (ACCC) has issued an alert about phishing scams stating that so far this eyar there have been 11,000 reports and a loss of $260,000.  Given under reporting is the norm it is likely that the losses are much greater.

The media release provides:

The ACCC is warning people to stay alert to ‘phishing’ scammers pretending to be from well-known businesses and government departments trying to con unsuspecting victims out of their personal information and money.

So far in 2017, the ACCC’s Scamwatch has received more than 11,000 reports of this scam, with nearly $260,000 lost.

Phishing scams are the most common scam reported to Scamwatch—reports are 63 per cent higher than the next most popular category. Statistics also show that older Australians (those aged 65+) are particularly vulnerable to this scam and that email or the phone are the scammers’ preferred tool of the trade for contacting potential victims.

“Scammers use phishing to trick their victims into giving out valuable personal information such as their bank account numbers, passwords, credit card numbers or even their online passwords for their PayPal, Apple or social media accounts. Any personal information you have is potentially valuable to a scammer and they will try to get it off you in a variety of ways,” ACCC Acting Chair Delia Rickard said.

“The vast majority come either via the phone or email. The scammers will pretend to be representatives of well-known organisations, like a bank, phone company or government department like Centrelink or the Australian Tax Office to give them the air of legitimacy.”

“The scammer may say that the bank or organisation is verifying customer records due to a technical error that wiped out customer data. Or, they may ask you to fill out a customer survey and offer a prize for participating. These are all part of a scammer’s bag of tricks they use to get you to give up your valuable personal data,” Ms Rickard said.

Scammers can use their victims’ personal information to carry out fraudulent activities, such as using their credit cards, stealing their identity or scamming friends and family of the victim. Many victim reports to Scamwatch, for example, say they noticed a large increase in spam emails after phishing scammers obtained some of their personal information.

“We’re so used to providing our personal information when we sign up for services over the phone or shop online that sometimes we don’t think twice about giving it out,” Ms Rickard said.

“However it’s very important you closely guard your personal information. Delete any email or hang up on a phone call that you receive out of the blue that is asking for your personal information—even if it purports to be from a well-known business or government organisation that you have previously dealt with and trust.”

“If you think your information has been stolen by a scammer, report it to the relevant institution immediately. For example, if you think they have your bank details, get in touch with your bank; if you think they have your login to a social media account, contact that site to report it. The sooner you can act, the better,” Ms Rickard said.

But phishing from the person whose personal information is sought is not the only form of phishing.  Phishing organisations and firms that necessarily hold personal information, such as law firms, insurance companies and health services, is another way of illegally accessing data. The Information Commissioner’s Office has highlighted the story of a former claims manager who engaged in, to use the vernacular, blagging calls to access personal information.  The information was taken from insuranace companies and sold to personal injury lawyers.  It is an example of data being monetised in the legal/insurance industry.  To get such information the training of the insurance staff would have been poor and the security of the data woeful. Unfortunately phishing techniques can be quite persuasive and sophisticated.  Conversely training of staff in this area is often rudimentary and relatively little time, effort or money is spent on securing personal information.

The ICO release provides:

A former claims company manager has been prosecuted for leading a team involved in ‘blagging’ calls to illegally obtain personal data.

Joseph Walker appeared at Liverpool Magistrates’ Court and pleaded guilty to 12 offences of unlawfully obtaining personal data under s55 of the Data Protection Act. A further 44 similar matters were taken into consideration.

The case concerned what are known as blagging calls, which were made to insurance companies to illegally obtain information about policy holders and road traffic accidents they had been involved in.

At the time of the offences, Walker worked as a manager at a claims management company, UK Claims Organisation Ltd, based in Liverpool.

Data originally obtained unlawfully from a car hire company was used by the employees of UK Claims Organisation Ltd as leads to make calls to insurance companies.

Staff used various guises, including claiming to be calling from solicitors firms, to obtain further information from the insurers, in order to be able to sell cases on to solicitors as personal injury claims.

Elizabeth Denham, Information Commissioner, said:

“Blagging calls are one of the many disreputable and dishonest tactics we see being used by rogue firms. People’s personal data has real monetary value and this practice shows the lengths some people and organisations will go to in order to get hold of it.”

Walker’s co-defendants, former UK Claims Organisation Ltd employees Lesley Severs and Kayleigh Billington, were fined in November 2016 for their involvement, acting on the instruction of their manager.

Walker, 30 – who is originally from Liverpool but now resides in Australia – failed to attend that hearing and was arrested on a warrant during a visit back to the UK.

He was fined £2,000 and was also ordered to pay prosecution costs of £1,600 and a victim surcharge of £15.

The story is repored in Global Legal Post at Fake law firm fined for unlawfully obtaining personal information which provides:

A former UK Claims Organisation manager has pleaded guilty to more than 10 offences of unlawfully obtaining personal data. He was fined £2,000 and ordered to pay prosecution costs of £1,600 as well as a victim surcharge of £15.