Scammers posing as IT departments, telecoms providers and banks are tricking victims into relinquishing control of their devices to hack into their accounts and steal sensitive data.
One of the worst cases we came across resulted in a Which? member losing £80,000 after a ‘BT engineer’ phoned about service problems in the area. Her bank eventually agreed to refund the money but other victims of remote access fraud have been told their banks will not cover losses if they give access to their devices.
Impersonation fraud shot up by 84% in the first half of 2020, with almost 15,000 reports and £58m lost, according to UK Finance. At a more granular level, Action Fraud says that it has received 14,893 ‘computer software service fraud’ reports between October 2019 and September 2020, with reported losses reaching around £16.5 million over that period.
Yet the use of remote access software is not very well known – our survey of the general public in September 2020 found that four in 10 people have never heard of it, even though we had explained how these tools are misused by scammers to gain access to devices.
What is remote access software?
Remote access software enables you to use one device to access another from any location by downloading a smartphone app or installing a program on your computer. A simple passcode will then connect the two devices.
Although many legitimate businesses use this technology, including the Which? Tech Support team, criminals also use it for nefarious purposes.
Typically, you get a phone call from someone claiming to be from a known company (commonly impersonated firms include Amazon, BT and Microsoft), in which they try to convince you to grant them access to your device, claiming they will fix a spurious problem.
Action Fraud recently reported that an Amazon Prime scam involving remote access software has cost victims over £400,000 in two months.
Other scammers are sneakier still, directing you to websites where clicking on the various brand names downloads the software, although they would still need you to enter a code to connect to your device.
Once they have access, they may put up a fake screen and work in the background to download other software or steal passwords and other personal data.
Based on reports to Which?, TeamViewer is the brand of remote access software reported as being misused by scammers most often, although others include AnyDesk, LogMeIn and GoToAssist.
- Find out more: on the phone to tech support scammers – we allowed an alleged scam support company access to our PC to learn how they persuade victims about made-up computer problems
Revolut remote access scam
As we reported in September, multiple Revolut customers were recently scammed after a fake Google advert resurfaced.
All of them phoned the customer service number provided and were connected to scammers posing as Revolut staff before being tricked into downloading remote access software in the belief that they were talking to the e-money firm.
Since May, Which? has been contacted by 17 victims of this specific scam. We’re concerned that Revolut was slow to give these victims a final response about reimbursement – many told us they felt like they were left hanging via the app chat and several were repeatedly asked for information they had already provided.
Though Revolut has been aware of the Google scam ad since at least March 2020 – when Which? first reported it – its customer service agents sometimes failed to offer even basic fraud advice such as telling victims to remove the remote access tools from their devices.
Revolut reimbursement lottery
Also troubling is the seemingly random approach to Revolut’s decision making.
While Revolut has reimbursed at least three victims that we are aware of, others have been told they will not be refunded.
One was told by a chat adviser ‘we have concluded that your decision to give the alleged fraudsters remote access to your device means that your request falls into a category in which we cannot assist and therefore we will be unable to refund you’.
In some cases, scammers sent fake emails that appeared to come from Revolut. A genuine chat adviser admitted to one victim that “the only reason why I would question these emails is because I am an engineer in electronics”.
The victim is understandably upset that Revolut will not refund her despite acknowledging that it would require technical expertise that can’t be expected of a normal customer to avoid being scammed in this way.
Another was given no specifics and was simply told in the bank’s formal response that it would not refund the £12,000 fraud losses because ‘after our agents from the relevant team analyzed your case, it seems like they could not find a way to further assist you with this.’
We asked Revolut to explain why victims of the same scam are being treated differently. It told us: ‘Revolut takes the protection of all our customers extremely seriously and does all it can to support victims of fraud. We thoroughly investigate all customer claims relating to fraud on their account and all decisions are taken on a case by case basis.’
‘While we can’t comment on the details of specific and ongoing financial crime investigations, when fraud happens we support customers in trying to recover misappropriated funds and provide guidance on how to proceed in line with best practice.’
- Find out more: how to get your money back after a scam
How ‘BT’ scammers stole £80,000
Claire (not her real name) had no reason to suspect foul play when BT called about her slow internet speeds. She had been having issues and was happy to follow instructions when the caller said checks needed to be carried out on her PC.
The caller directed her to what appeared to be error messages that ‘proved’ there had been a security breach (this may have been the Windows Event Viewer program which is used to view Windows logs related to normal activity, but could easily alarm someone who is unfamiliar with these logs).
She agreed to download TeamViewer – she was told this was to clean her system and install a new firewall – and was asked to log into various retail and online bank accounts to check all her monies were as they should be.
Having no idea that the scammers could see everything she was doing, she logged on to her First Direct and Nationwide bank accounts. They later moved money from her Nationwide savings account into her current account before transferring £75,000 to First Direct – the payments were made in eight transfers, all labelled ‘flights’.
As her First Direct account was an existing payee, there were no additional security checks as there would be for a new payee. Next, the scammers moved £80,000 from First Direct to various external accounts in their control. She was tricked into giving the scammers security codes generated from her Secure Key, in the belief that they were setting up a new security system and testing the effectiveness of the firewall.
What action did the banks take?
First Direct says it raised a security alert over the phone but was unable to speak to her for verification – her phone line was jammed by the scammers – and allowed the transfers anyway.
Both Nationwide and First Direct told Claire they wouldn’t reimburse her because she had granted access to her online bank accounts. When Which? approached the two banks about the case, Nationwide recognised that she didn’t authorise the payments to her First Direct account and refunded the £75,000 back to her current account.
Although First Direct had recovered two payments, it maintained its original position, refusing to reimburse the rest on grounds of gross negligence – because she failed to take all reasonable steps to keep her security credentials safe.
We don’t believe giving remote access to a device automatically amounts to gross negligence. We advise victims to involve law enforcement and escalate their complaints to the Financial Ombudsman Service if their banks refuse to reimburse them.
- Follow our step-by-step guide on how to take your complaint to the Financial Ombudsman Service.
Who can stop remote access scams?
While customers are urged to ‘Take Five’ to avoid scams, putting a stop to any kind of fraud requires joined-up thinking – in this case from software providers, banks and the authorities.
Misuse of remote access programs gives grounds for account termination and providers say they monitor accounts for unlawful activity, working with authorities to report abuse.
- TeamViewer told Which?: ‘Stopping fraudulent activity remains a high priority for TeamViewer, and we strongly condemn any criminal activity perpetrated by bad actors on the platform. Privacy and security are central to our business, and we look into every single case that is reported, updating countermeasures accordingly and working diligently to keep our users and customers safe.’
- A LogMeIn spokesperson said: ‘We take scammers very seriously. Use of any of our products for nefarious or illegal purposes violates our terms and is immediate grounds for account termination. To protect consumers, we conduct both proactive and reactive approaches – including monitoring accounts for unlawful use, cancelling accounts that partake in these activities, employing session limitations on trial accounts, and adding friction to our registration page to reduce re-trialling once banned. We also work with proper authorities to report the abuse.’
- AnyDesk told us: ‘We have established concrete steps to protect our users from scams, e.g. we’ve installed a scam warning into the app, telling users to be cautious with whom they share their AnyDesk logins and we are constantly reminding our users not to share their AnyDesk logins with unknown people. Nevertheless, users have to be wary and increasingly vigilant about the data they’re sharing with unknown individuals.’
Jenny Ross, Which? Money Editor, said: ‘Millions of pounds are lost to computer takeover scams every year, with potentially devastating consequences for victims who lose life-changing sums of money to these callous fraudsters.
‘Which? is calling on banks to reimburse all blameless customers who fall victim to these scams and for the government to introduce legislation to ensure a new statutory code of practice can be created, which would include clear standards and protections for victims.’
What to do if you’ve given a scammer remote access to your device
First and foremost, take back control of your device – if you can still see your screen, there should be a disconnect button enabling you to end the session but as a precaution, turn off wifi at the router or unplug the network cable to fully disconnect from any external connection.
Tell your banks immediately if there is a chance they have been compromised and report the crime to Action Fraud.
Once your device has been switched back on, you can remove the software (check for recently installed programs/downloads) and any other apps that may have been installed by the scammer while they had remote access.
You should reset all passwords for online accounts (current accounts, savings, email etc) and enable two-factor authentication where possible.
If you have security software, ensure it has all new and recent updates – then run a full security scan. To be extra safe, you may want to do a factory reset of your device, or ask an IT expert to confirm the device is safe to reuse.
- Find out more: tech-support scams