The tip of the infosec iceberg?

Posted: 03/21/2017 - 08:12

Recent stories by, amongst others, the BBC detailing large, well-organised and presumably very profitable scamming organisations targeting UK TalkTalk customers have hardly helped the already-lowly reputation of offshore contact centres - but may unfortunately be only the tip of a perilous iceberg.

Last year TalkTalk was fined a record £400,000 for failings which contributed to the theft of data of belonging to over 156,000 customers. The BBC recently described how at least three fake TalkTalk contact centres had been set up in India, with dozens of 'FTEs' calling customers pretending to be agents of various TalkTalk departments and asking for sensitive information. Call scripts were published containing, amongst much else, objection-handling tactics, and intimate details published giving the impression of complex and rapidly growing organisations. Victims have reported losing thousands of pounds as a result of these scams and negative publicity for a much-maligned industry has been widespread.

Sadly - and worryingly - it seems to me very likely that these organisations, and this data leak, are far from alone. (Here I must admit that what follows is entirely anecdotal, and the situations I describe could well be extremely anomalous, but it seems too coincidental not to warrant at least some comment and perhaps further investigation.) Over the last week I have heard from close contacts that they have received similar calls from those made to TalkTalk customers - using much the same approach and scripts very reminiscent of those published by the BBC - yet the three calls I know of have purported to come from two large, multinational providers, neither of which is TalkTalk. None yielded any data, since my three contacts each smelt a cyber-rat, but in such a numbers game it doesn't take too many calls to strike gold.

Though other explanations are entirely plausible, it seems possible that the TalkTalk data breach is not unique and that other providers may have been compromised - perhaps on a much smaller scale, of course - and, further, that similarly complex scamming outfits remain very active. Three professionally scripted calls and two 'host' providers reported within a week from within one person's social circle suggest more than random solo chancers in their bedrooms; rather, multi-caller operations with long prospect lists.

What seems to me even more concerning, in some ways, is that of the three people who've told me of their being targeted, none has contacted the authorities, nor their providers, in any way. Yes, their cyber-awareness has been sufficiently refined to have defended them from the fraudsters' forays, no doubt much to the satisfaction of security experts who've spent decades pleading with the public to wise up - but they haven't taken the vital next step of telling anyone who can actually at least try to stick their fingers in the metaphorical data dyke. Though, again, to be clear, I am not stating that this has actually happened, there could be significant leaks going unreported by the providers themselves - not wilfully, but because they're simply not being made aware of them themselves.

It's fascinating to hear the explanation - singular because there's only been one, though presented in three different ways - for such a reluctance (an attitude that an associate describes only half in jest as "a dereliction of cyberduty) to inform the providers in question: it's pretty much a shoulder-shrugging apathy, part "what's the point?" in disbelief that the providers will act on reports anyway and part simple resignation in the face of a ceaseless and swelling multichannel flow of assaults from scammers. How many emails a day does the average office worker receive that look and quite possibly are cyberdodgy - and how many of those are simply deleted or ignored without embarking on a bothersome journey down corporate infosec guidelines? How many texts from unknown numbers offering great deals get erased without being forwarded to any supposedly investigative regulatory body?

As consumers we've become accustomed to cybercrime as background noise, perhaps as the drone of a wasp which we may occasionally beat away but can't rouse ourselves to kill, let alone to find and destroy the nest. We shake our heads at the stories of people duped into catastrophe, but feel staunchly - even - smugly confident in our own superior cybersenses and barriers. Perhaps this complacency is warranted - after all, my three contacts gave away nothing - but it seems collectively foolish not to go for the nest before the wasps swarm upon us. Attacks grow inexorably more sophisticated: surely we must too? And yes, that most certainly includes at least a couple of UK telco operations who should at least be asking if there's anything significant about a few phone calls made last week to London.

Region: 

About The Author