The BBC has revealed details of how a food bank in the UK was connedout of about $63,000 (£50,000) by scammers who used two separate attacks to fleece their victims.
A food bank is a way for people to ensure they don't starve. They are a backstop during times of economic uncertainty, and have been hugely important during the pandemic. An attack on a food bank is an attack on the most vulnerable that's likely to have a significant impact on a community, and which could have a terrible knock-on effect.
There's no indication that the fraudsters deliberately targeted the food bank, but whether they did or not, it loses little in awfulness to hospitals impacted by ransomware outbreaks.
This is how the two attacks occurred:
Part 1, a bogus NHS Test and Trace message
The initial attack was a fake NHS Test and Trace message.
From PPE offers to test and trace messages, COVID has been a mainstay of phishing since early 2020. No matter the region, the pandemic ushered in an age of fake delivery notifications and bogus "You may be infected" websites.
In this case, an SMS message was sent to the target claiming they had been in close contact with somebody who was Covid-19 positive.
We have seen these kinds of messages is sent out by SMS and email. Scammers may claim that tests are mandatory (they are not). Sites may collect the victim's name, address, phone number, email, or more besides, and at the end of the flow, they may ask for a "postage fee" and your payment details.
In this case the scammers asked for payment for a PCR test. The demand for payment might once have been a red flag, but since the end of free testing in the UK, it isn't.
For most people, this is where the scam ends. Sadly this isn't the case here. The small payment was used as a stepping stone to significantly greater losses.
Part 2, a call from a fake bank
The victims called their bank, suspicious of fraud. By an unfortunate coincidence, the criminals called the food bank trustees back pretending to be their bank.
It's possible the fraudsters took the card details given to them in the first scam and figured out which bank it belonged to. For example, the first 4 to 6 digits of a Bank Identification Number(BIN) can reveal the card issuer. Armed with this information, the scammers would know which bank they need to pose as. (It's also possible they never mentioned the bank at all—someone already in touch with a bank may not suspect anything amiss from a supposed follow-up call.)
Either way, the scammers asked if any "linked accounts" could have been affected. Concerned for the food back, the victims handed over its bank account details. The scammers proceeded to empty the account of "well over $63,000" across a two-day period.
Tips to avoid this scam
Routine contact tracing ended in the UK in February 2022, so any messages that don't arrive via the official NHS app should be treated as bogus.
If you receive a call from your bank, call them back using a number from their website. Don't use a phone number (or any other information) provided by the caller, and don't provide any identifying information until you are sure you are talking to your bank.