I came (virtually) face to face with a sophisticated hacker at the end of last week. He nearly managed to transfer £77,455 out of my bank account (would have led to the mother of all overdrafts). He gained control of my personal gmail account and my phone, found my bank managers email address and the next thing I knew I was being called to approve a transfer of £77,455 to a Barclays account they claimed belonged to Lewis & Thomas solicitors. I have reported the hacker to the police (a 3rd party provider manages fraud, so I suspect my data will be lost forever and the hacker will never be pursued) by giving them his/her account number and sort code.
I wanted to write down what I know happened and what I think happened around those facts so you can protect yourself.
- My mobile phone (Vodafone) stopped working at 18:00 on Friday evening, so I called Vodafone who told me that someone had, on their 3rd attempt, got through security and registered another sim card on my account (in all honesty, my Vodafone password was not that complex as I didn’t ever contemplate it being hacked). At that point they, I believe, had control of my phone number, so someone calling my phone number would get through to the hacker. At very least, I had lost the ability to use my phone. At that point Vodafone put my account on hold.
- On Saturday morning at 9am I received an email to my backup email account for Google telling me that I had successfully changed my password and backup email account. Given that wasn’t me, I followed the instructions to change the password and get control back. However, given I didn’t have my phone working and the hacker had changed the secondary account, there was no way for Google to contact me with the necessary passcode to change the password. Clever hacker. I managed to get Vodafone to forward all calls to my number to my wife’s iPhone so was able to get the code that way. SMS, I learned, cannot be forwarded. Note that my Google password was 10 characters long with a mix of upper and lower case and 3 punctuation marks. Not an easy one to hack, at least I thought.
- At that point I alerted all my banks and credit cards about what was going on.
- On Monday morning my bank (one I hadn’t been able to call on the weekend) called me and asked me to approve a transfer of nearly my entire balance – £77,455 – to Lewis and Thomas solicitors. I asked them to forward back to me the email instruction they were working off. It was sent at 10:52 on Saturday morning whilst I was playing with my kids, blissfully unaware that my account had been hacked.
- I immediately called the Police who forwarded me to their outsourced fraud provider and gave them the story and the hackers sort code and account number. Who knows what they’ll do with it. The woman I spoke to told me that it can take years to build up a case against people. I heard the fateful words: “given he didn’t actually manage to take any money from your account….”. Idiotic.
What I have done about this:
- I have removed my mobile phone number from all my email signatures to make it a bit harder for hackers to find my mobile phone number
- I have enabled 2 step authentication for as many accounts as I can
- I have created new, very complex, passwords for all my accounts and have saved them in a place that cannot be accessed by a hacker
- I have searched my gmail account for my bank account numbers and permanently deleted all emails in which it appears
I hope this doesn’t happen to you. If you follow the steps above, it’ll be less likely.
If you want to read more, apparently Dark Markets covers the subject well