By clicking a retailer link you consent to third-party cookies that track your onward journey. This enables W? to receive an affiliate commission if you make a purchase, which supports our mission to be the UK's consumer champion.
Your life for sale: stolen bank details and fake passports advertised on social media
A Which? Money investigation has uncovered profiles and pages across Facebook, Instagram and Twitter openly catering to would-be ID fraudsters.
By searching just a few slang terms used by fraudsters, we rapidly found 50 scam profiles, pages and groups on social media platforms Facebook, Instagram and Twitter.
They advertised a mixture of stolen identities, credit card details, compromised Netflix and Uber Eats accounts, as well as fraud 'how to' guides and even fake passports made to order.
In the wrong hands, some of these details could be used to borrow money in victims' names, or to steal from the victims themselves.
Yet when we reported these clearly criminal pages using the social media sites' reporting tools, many were left up.
Facebook even initially refused to remove a post containing extensive stolen personal details leading to a man in Yorkshire.
Here's the story of how criminals went from operating underground to out in the open and on our screens.
How criminals steal your data
Fraud is now the most-reported crime in the UK, with 3,979,000 cases in England and Wales in the year to 2019. That's more than theft and almost 10 times as many as burglary.
And it starts, in many cases, with fraudsters obtaining your details.
This can happen in a variety of ways. In 2018, mobile bank Monzo cancelled and replaced more than 6,000 debit cards belonging to customers who had recently shopped with ticket retailer Ticketmaster.
It did this after receiving dozens of fraud reports and spotting that many of the victims were recent Ticketmaster customers.
Ticketmaster subsequently found malicious software (malware) on a third-party supplier's system, which was exporting customer card details to an unknown entity.
This is just one of many tactics used by fraudsters to steal your details. Others include automated scam calls and phishing emails, or texts that appear to be from your bank - all of which are designed to persuade you to reveal personal information and passwords.
HMRC is often impersonated by criminals. You may have come across texts and emails with HMRC logos, claiming you're owed a tax rebate. These ask you to click on a link to a phoney HMRC login page, then enter your payment and personal data, which go straight to a fraudster.
- Find out more: how to spot coronavirus-related scams
What happens to your data
The cybercriminals who harvest personal data don't necessarily want to exploit it themselves - they could be looking for kudos from other cybercriminals, or have ideological or political motivations.
On the dark web, such cybercriminals sit at the top of a pyramid, reaping the largest profits. The stolen card details and identities are sold on through layers of middle men who repackage them and sell them on to would-be fraudsters.
The fresher the data, the more likely it is to work for fraudsters, as banks or customers haven't flagged or changed it.
By the time the data reaches sellers and buyers on the clear web, it may have been tried out by lots of fraudsters already. Yet it may still work if neither the bank nor victim has spotted the fraud.
Even if you're aware of the theft, your details can be used to do serious damage. On the phone, fraudsters can use stolen personal information to convincingly pose as your bank and talk you into transferring money to their account.
Or the details could be used to apply for credit, bank accounts or insurance.
- Find out more: what to do if a fraudster has your bank details
'Fraud bibles' and 'cloned cards' for sale
We found user accounts, groups and posts promoting identity theft and other type of fraud on three of the world's most popular social media sites.
One Twitter user had a personal biography, which stated 'cloned cards and dumps + Pin', and included a WhatsApp number for secure encrypted messaging.
Instagram users posted gifs (animated images) of cash wads being wafted enticingly. They even shared full price lists detailing different wares from 'fullz' (full identities) to 'fraud bibles' containing step-by-step instructions for would-be scammers and hackers.
Once we started searching using fraud slang terms, Twitter recommended other accounts using the same terminology in its 'who to follow' section. This made it even easier to find the criminal sellers.
- Fraud bible - A comprehensive how-to guide for novice hackers and scammers, explaining how to create fake identities, use stolen card details and more.
- Methods - Guides explaining how to commit scams or evade security features such as two-factor authentication (2FA).
- Bins - The first six digits of the long number on a credit or debit card. Can be used in a variety of scams, including to convincingly pose as a victim’s bank on the phone.
- CC/Fullz - A victim’s credit card long number, CVV number and expiry date, alongside their address and sometimes additional details, including phone number, email address and/or date of birth.
- Sites - Compromised accounts on sites such as Amazon, Netflix or Uber Eats.
- Check drops - Compromised bank accounts with login details.
- Cashapp Accounts - Compromised accounts on payment apps such as Square, Venmo and Zelle.
Fake passport offered within hours
We approached two sellers who had contact details on their profiles. The first promised in a Twitter post to let you 'Buy UK passport, buy UK driving licence, buy UK ID card' and included an email address.
We emailed the address, posing as someone who needed a phoney passport as proof of ID to open bank accounts and credit cards. Within hours, we were offered one made to our specifications with a name, age and photo supplied by us, and delivered within eight days for u20ac3,500 (around £3,000).
We went no further and instead consulted experts at anti-fraud tech company, Featurespace. They said that a fake passport bought in this way was likely to be of low quality, but might pass muster as proof of ID in a bank branch if staff were not diligent.
They also pointed out that blank fake passports and other forms of ID documents are sold in bulk on the dark web, enabling anyone to set up shop selling made-to-order passports.
We passed our evidence to the Passport Office, a branch of the Home Office. A spokesperson told us: 'The production of fake passports is a crime and we take this issue very seriously. Those who produce fake passports will face the full consequences of the law.
'It's not possible to get on the passport database with a fake or forged passport. Biographical details on passports are only added to the passport database once an application has been properly examined, all checks completed and the decision to issue a passport has been taken.
'We are aware criminals use social media to sell fraudulent items, and we expect companies to crack down and remove them.'
- Find out more: what to do if you fall victim to ID Fraud
Tracking down a victim
The second fraudster we made contact with had a Twitter profile advertising cloned credit cards and Pins.
We messaged them via WhatsApp using the number in their profile and they replied offering full credit card details ('fullz') 'with a '£13k+ balance'. Each fullz was £100, or we could have three for £200.
Featurespace told us this is on the expensive side and suggests the data may have passed through many middle men with their own individual mark-ups before reaching this seller.
Yet some personal data we found was being given away for free as a sort of taster, to whet the buyer's appetite and prove the seller's credentials. On one Facebook group for hackers, we found an alarming post detailing the full identity of a man in Yorkshire.
His full name, date of birth, address, credit card number, CVV number and expiry date, sort code, the name of his bank and his mobile number were all listed. When we spotted this post in early 2020, it had already been up for four months.
Using the open electoral roll we were able to establish that the victim had lived at the address listed in the Facebook post at least as recently as 2018, along with individuals whose names and ages implied they were his wife and adult children.
We reported the post to Facebook and, after some back and forth, it was removed. We also reached out to the victim's bank, HSBC, but received no response.
The social media giants respond
We reported all 50 of the groups, pages and profiles to their respective social media platforms via their in-site reporting tools.
We were stunned when Facebook initially refused to remove the post containing the clearly stolen 'fullz' of the Yorkshire man, on the basis that it 'doesn't go against one of our specific community standards'.
When we requested a review of the decision, the post was removed, but the hacker group it was posted on remained up.
Facebook removed a few other isolated posts, but when we checked six days after making the reports, it had left up every page and group.
Instagram (owned by Facebook) hadn't removed any content at all and neither had Twitter.
We presented our findings to the platforms' media representatives. All the reported content across all three platforms has now been removed.
Facebook said: 'Fraudulent activity is not tolerated on our platforms, and we have removed the groups and profiles flagged to us by Which? Money for violating our policies. We continue to invest in people and technology to identify and remove fraudulent content, and we urge people to report any suspicious content to us so we can take action.'
Twitter said: 'It is against our rules to use scam tactics on Twitter to obtain money or private financial information. Where we identify violations of our rules, we take robust enforcement action. We're constantly adapting to bad actors' evolving methods, and will continue to iterate and improve upon our policies as the industry evolves.'
Policing the internet
It's all very well for platforms to urge users to report harmful content. But in our experience, such reports made using in-site tools aren't dealt with properly.
All signs indicate that the internet will be subject to stricter regulation in the decades to come. In February, the government announced plans to appoint telecoms regulator Ofcom as a watchdog for the websites which contain user-generated content, such as social media platforms.
These plans are at a very early stage and regulating the internet is controversial.
Yet when blatantly stolen data is posted and advertised in the open, and reports fall on deaf ears, it looks like social media platforms aren't even getting the basics right.
For advice on how to protect yourself from identity theft, check out our guide to protecting your data.
