Toby Carlin, Senior Director of Fraud Consulting at EMEA, FICO, examines a wave of Brexit scams and offers advice on how to spot, prevent, and report them. The insights were shared with Finbold’s editorial team on January 21, 2021.
A fraudster’s perfect storm has broken in the UK. When the country voted in favor of Brexit in June 2016, it signaled the start of a long, painstaking journey to split from the European Union. Politicians clashed over trade deals, European citizens living in the UK became unsure of their residential status, and newspaper headlines provoked more questions than they answered – a fraudster’s dream.
Even in the “Post Brexit” world that we now find ourselves in, there is still significant confusion, persisting fears of COVID-19, and the quickly approaching end of the tax year all combine to present criminals with an ideal opportunity. We are already seeing the attacks step up in line with the public interest and reporting as the UK officially leaves the EU.
Fraudsters are only limited by their imagination, and with Brexit scams, they target both European and UK citizens. The main targets in the EU are businesses. Scammers can adapt incredibly quickly to send out an email asking if the organization works with or is connected to any British company. These will often look like they come from an official source.
In the UK, however, their sights are set wider, and anyone is fair game. Whether it’s for employment or travel, UK residents will have an obligation to inform themselves on new rulings and expectations borne out of Brexit. This is where the door is left ajar, and fraudsters can spread misinformation and perpetrate their scams.
Playing the long game
Whilst some fraud will be carried out quickly, we still expect many of the fraudsters to play the long game, executing so-called data farming scams aimed less at a quick buck than at stealing data that can be used later.
Instead of looking for immediate financial gain from a data breach, fraudsters will attempt to obtain as much personal information as possible – and the more personal, the better. Passport numbers, ID cards, and even health insurance have all been recent subjects of data farming scams.
This information will then be used in the months to come – perhaps when the media attention has subsided – to the criminal’s benefit. When the time is right, they can go directly for funds or use the information in other impersonations.
An example of this occurred when the personal data of nine million EasyJet customers was hacked. When announcing the breach to the media, five months after the attack, EasyJet said there was no evidence that any financial information of any nature had been misused – a fact that was confirmed by FICOs own data as there was no immediate attack.
What is important in this case is that whilst financial data may not have been the target, the wider personal data set allows the fraudster to perpetuate better an account takeover, scam, or ID theft.
Fraudsters are also using more layered attacks. In multi-channel scams, fraudsters send out a mass phishing email saying, for example, companies must complete a checklist to prepare for Brexit.
There are often deadlines associated with imparting a sense of urgency. The email is followed up with a phone call, which could eventually lead to a financial transaction. This is a volume-based attack where fraudsters are looking to see who nibbles and then defraud them. To execute these scams, criminals are using the same kinds of auto-diallers and communication methods used by most reputable institutions.
Three Brexit scams
Unpaid tax warning – Criminals have come up with a new twist on the unpaid tax scam. The fraudster sends out an email or makes a phone call impersonating an HMRC employee, stating that the victim has not paid all their taxes and faces a jail sentence if they do not do so immediately. In the Brexit version, the scammer may say that the victim needs to pay now, or new rules will come into play that will increase the tax debt or even limit the ability to do business.
Get-rich-quick – Another scam taking place is based around investment. Fraudsters will make contact, usually through email, to disclose information about a company that will succeed after Brexit has happened. This get-rich-quick scam requires an investment from the victim after the fraudster describes the potential gain.
Invalid passport – We are also seeing a passport scam, in which criminals tell victims that their passport will no longer be valid in the hopes of getting the passport information, which can then be used in nefarious ways. Besides, the victim may be coaxed into paying for a new passport – a double win for the criminal.
How to handle a Brexit scam
We are seeing many Brexit scams now taking place; the first step in prevention is vigilance. Fraud cannot be stopped if it’s not spotted first.
- Look for official government advice on anything concerning Brexit.
- Make sure to conduct your own searches for information and always use a reputable source.
- Watch out for calls or emails that pressure you to make an instant decision, or you will lose money, be fined, or miss out on a great opportunity — this is one characteristic of scams.
- Never open attachments if you weren’t expecting the email and don’t know the source. Brexit scam emails may include attachments that you “must read now” or “must complete today,” and these attachments can release malware.
- Be wary of exaggerated claims. Some scammers tell victims that if they don’t make a payment now, their Amazon account will be canceled, or their bank account will be frozen. HMRC would, of course, do neither to resolve a late payment
- Ask yourself if you are expecting the email/communication and if not – be wary
Unfortunately, there is no one-size-fits-all solution to fighting scams. Many active fraudsters are clever and creative, so the best thing an individual or business can do is be aware of ongoing scams, using the multiple online education resources available from their governments and their banks.
And if you spot what looks like a scam, report it to the Government databases that track and take down illegal websites. Banks responsible for protecting their customers should have a robust, real-time, scalable platform capable of learning and adapting to the ever-changing threats and seeing the simple customer-level picture regardless of their channel or origination.
This seems simple to many of our global partners, but payment is often where more risks are taken and must be consistently protected to prevent further exploitation.