Author: Robert Broxup

Unsafe Financial Transactions

Robert Broxup

Despite continuous reports of financial fraud in the media, history appears to keep repeating itself. The same scams exist, and the only real difference is an increase in the level of fraud, not a decrease due to increased awareness. Earlier this month I published an article called ‘deviation from the norm’ which encourages people to be more suspicious when they asked to take action which they would not normally do, or that is different from how most people do things. This article is a follow-up to look at some situations that are still endemic throughout society and which, in some cases, are having a life-changing negative impact on people’s lives.

  • Never use bank transfers to send money to someone you have not met in person, or with whom you have no prior or existing business or personal relationship. Payment for goods and services with Visa or Mastercard has the added security in that if goods or services are not delivered, your bank can process a chargeback to the card. Sites such as eBay have processes in place and can process refunds without needing to involve the bank. Bank transfers bypass this safety net completely, and refunds are not available if goods or services are not delivered.
  • Although cheques are in significant decline, it is still important to remember that cheques can take several days to clear, can be cancelled at any time, and can bounce if funds are not available in the originating account. Wait until funds have cleared before delivering goods or services, processing refunds, or refunding overpayments.
  • Do not make a payment of fees or taxes upfront to receive a payout. Upfront fees for lottery winnings are still a common theme, but also advance fees for loan applications which never materialise. In cases where advance fees include a guaranteed loan offer or fees refunded, the terms and conditions are often so bad that the applicant rejects the loan. For example, they were offered a loan with 2000% APR. Rejection of the loan does not include a refund of fees.
  • Never transfer money upfront to anyone in connection with a job application. If you are applying for a job, your future employer will pay you.
  • Never send money in response to emergencies reported by family members without verifying the facts and speaking to those in distress. E.g. lost wallets and an urgent need to transfer cash to a friend to survive in a foreign country, or being sick and needing to pay for urgent medical care, or arrested and need to pay fees to be released. Whatever form this takes, it exploits the love and care for a family member or friend, and pushes you into helping before you have a chance to realise there is no real emergency.

Deviation from the norm

Robert Broxup

Are you being asked to act in a way that deviates from the usual way of doing things? If you are, then you should exercise some scepticism. When things go wrong and result in financial loss, it is often the case that the vendor asked for something out of the ordinary, and at the time, it would have sounded plausible for whatever reason. There are many examples of this, yet there are far more examples of people losing vast sums of money because a transaction required them to deviate from the norm.

Being asked to pay upfront fees, to receive something of higher value should be met with scepticism. Winning a lottery prize is just one example. To obtain the winnings, the scammers ask people to pay administration fees.  They have £100,000 to give you, but you must pay them a £350 fee. Putting the fact aside that if you never bought a ticket, you would not be a winner, then even if you had genuinely won the prize, receiving a net payment of £99,650 is obvious.

Society has not evolved yet to a point where it can operate without cash as it is often cost-prohibitive for small transactions. Consequently, for businesses where all transactions are small, cash payments are still a requirement. However, it is unusual these days for the cash to be mandatory for medium or large transactions. It could be something as simple as a means of reducing taxation, but it is worth asking questions and being aware of the risks, more so if the vendor will deliver goods or services at a later date. There are cases of businesses taking cash orders after they become aware that a bankruptcy declaration is imminent; high street travel agency being one example. Again, at a time when payments for goods and services are predominantly with a bank card or credit card, cash Only for whatever reason is a deviation from the norm.

Bank Transfers to people or businesses where no existing relationship exists is asking for trouble, but this still happens. Again, payment by bank card or credit card is a well-established practice. Other established payment options, such as WorldPay and PayPal, have fraud-prevention measure in place. These established payment services protect consumers, but far too often people are asked to deviate from this norm and transfer money directly to a bank account, only never to receive goods or services, and even worse, never be able to contact the recipient.

Reasons which sound plausible for needing to deviate from the norm include:

  • The suggestion that there is a legal or official requirement for it to be different. For example, an alleged policy that consumers must pay a deposit on a holiday in cash. In practice, this circumvents all the protection offered by Visa or MasterCard if something goes wrong.
  • ‘This is how we do it with all our customers, and you save money.’  An attempt to convince you that the ‘deviation from the norm’ is the usual practice that everyone uses.
  • Time constraints such as a theatre ticket valid this week and you must transfer payment immediately to get the tickets in time for the performance; creating a sense of urgency to deviate from the norm.
  • The card machine is not working today, and sadly this offer will not be available tomorrow. Creates the fear of loss while offering deviation from the norm as a viable solution.
  • Discounts offered for bank transfers or cash payments because of card payment fees. Creates financial incentive to deviate from the norm.
  • ‘We only have two left.’ Using scarcity as a means of pushing a deviation from the established ways of doing things.

These examples are very familiar to many readers, as stories keep resurfacing, but that is because the problem is far from being resolved. The suggestion here is to take a more holistic approach and be suspicious whenever a transaction deviates from the usual way of doing things in society.

It is easier to commit fraud against you if you are a willing participant. If you are complicit in making payments to fraudsters, financial institutions will use this as a means of denying any refund claims. However, the definition of ‘complicit’ is gradually changing in favour of consumers, and more safeguards are in place, along with greater awareness.

This article is not a suggestion that every deviation from everyday practices is an attempt to commit fraud against you, but rather encouraging you to be sceptical and make judgement whenever something does deviate.

12 Months of GDPR

Robert Broxup

General Data Protection Regulation (GDPR) became law in the UK exactly one year ago, and this article reports on personal observations over 12 months. GDPR has created greater awareness of best practices for handling personal data because of the fear of financial penalties of up to 4% of annual turnover or 20,000,000 Euros, whichever is higher. During this time, a significant number of complaints have been made to data protection authorities requesting investigations and some have resulted in financial penalties.

More information is available at https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

For UK readers also visit the website of the UK’s Information Commissioner’s Office:

Email Notifications

I have received many privacy notifications from companies stating that they hold and process personal data. Roughly 50% of these notifications were from businesses with which I had no prior contact or to which I have not given consent to process data.

  • Requests for data removal have resulted in a need to provide for more personal data to confirm my identity
  • Two businesses wanted a scan of my passport or driving licence before they would remove the data
  • Some email notifications indicated that removal of personal data required recipients to login and change their data settings

Observations suggest that:

  • How some businesses have chosen to implement GDPR forces people to jump through hoops to have their data removed
  • Hackers can easily use GDPR related emails for phishing. With everyone expecting such emails in response to the introduction of GDPR, many removal requests could already have resulted in more personal details than before being processed inappropriately.

Date of Birth

Use of Date of Birth as a security question has increased. I’ve said many times that people should not use immutable facts for security. Still, the point here is that over the last 12 months companies have asked for my date of birth when in fact I would never have had a legitimate reason to give it to them in the first place.

It became evident that companies are requesting Dates of Birth for security, but the real purpose is to populate a previously blank field in their database. I put this to the test in the following two ways:

  • I gave a bogus date of birth. The company accepted it as correct for security
  • I told them they would have nothing to compare it against because there was no legitimate need for them to know. Following a pause, the operator checked with their manager and asked an alternative security question.

The legitimacy of these businesses is not in question, as we are not talking about potentially fraudulent companies that nobody has ever heard of; we are talking about national brands. Unless people are mindful of to whom they gave their date of birth to, it is reasonable to assume that when asked for confirmation, they would be willing to give it.

Personalised Junk Mail

The quantity of personalised mail has reduced quite significantly, but the amount of non-personal mail has increased substantially during the same period. The increase is roughly 50/50 between:

  • Letters addressed to ‘owner/occupier’ without any named individual – suggests that where businesses have a refined customer list but no consent to hold personal data, they remove the names and keep targeting the addresses.
  • Unaddressed mail – suggesting many businesses have chosen to deliver leaflets

More information is available here to learn how to stop receiving junk mail:  https://www.citizensadvice.org.uk/consumer/post/stop-getting-junk-mail/

Public Data Feeds

Publicly available data sources are still available free of charge, or with nominal payment, from government departments and local authorities. Consequently, 2nd level websites and services which use publicly available data still have access to all the data, and make it available to everyone free of charge or for a fee.

Requests to remove data still result in resistance and a need to jump through hoops, including significantly more personal information before taking action. The removal is only effective until a replacement data feed to processed. No evidence is available to indicate that a separate list is available to ensure that removal requests are permanently applied.

This information is more than sufficient for fraud to take place. Yet, to my knowledge, nobody has ever consented to this information being made available publicly by authorities or given consent to 3rd party organisations to process this data and sell it online. Such businesses can, however, claim a ‘Legitimate Interest’ under GDPR.

A data broker can claim to have a legitimate interest because their source of income is from the sale of your data. Although data privacy advocates would like nothing more than to see some of these businesses cease to exist, and this has come up in conversation many times over the last 12 months, this is unlikely to happen any time soon because the businesses are highly profitable. Their business purpose is to profit from your data, so they have a ‘Legitimate Interest’ in processing it; potentially a court case waiting to happen in the future to define the boundary with case law.

Increased User Accounts

More and more websites insist that online accounts are required to make purchases. There are many business reasons for mandatory user accounts, and an increase over the previous 12 months could be a coincidence. However, a user account does address the issue of maintaining data accuracy as a user account will essentially transfer responsibility for data accuracy to the user, who can log in and edit their data. Also, over the last 12 months, I have observed several accounts created without my consent, along with emails inviting me to verify details.

There are long term security implications to consider:

  • People can quickly lose track of user accounts over time, if at the time of placing an order, creating an account was mandatory despite knowing it would likely be a one-time purchase. Equally, an issue is if security questions are used based on historical facts.
  • Many websites still send passwords by email in plain text in response to forgotten password options. However, sites are increasingly switching to a more secure reset process.
  • Sites could store credit card details in the accounts to which people no longer have access
  • Re-use of logon credentials and security questions between sites increases the risk of more important sites begin compromised

Not everyone maintains an inventory of user accounts; in fact, it is more likely that very few people do. More user accounts mean more opportunities for hacking user accounts. Many sites authenticate with Facebook or Google; however, if either these are compromised, all connected accounts are also compromised.

Increased cookie popups

Consent to store cookies has been implemented in many different ways from a visible page on the website, to popups demanding users click on a button to access cookies.

  • Website platforms such as Word Press have implemented it as standard so that anyone with a website powered by Word Press will get the functionality automatically
  • Website developers have implemented intrusive popups which disrupts the user experience on the site such as fading out the content of the page, requiring ‘accept’ to be selected before the visitor can read the page. Not allowing selection of the ‘accept’ button until the entire page has downloaded and not providing an option to ‘decline’.
  • Many sites don’t have a ‘decline’ option’. Although websites often need cookies for the duration of the session or security, these reasons are no in the regulations. Website developers choice to have either ‘allow’ or ‘leave’ creates a new problem. People will ‘allow’ as an automatic response which in the long-term will render the concept useless. Rather like the millions of people who tick a box to say they accept terms and conditions, but never actually open and read them.

More information is available at:

Choosing Suppliers Online

Robert Broxup

Protecting personal information is a serious concern for everyone. When choosing suppliers online for whatever purpose, it will be necessary to share some info to avail yourself of the services. It is your responsibility to determine who you trust with your personal information.

  • Does the business have an established brand and reputation to protect? Although we often hear about big names involved in large scale data breaches, it is reasonable to say that a business with a lot to lose will make more effort to protect your data than those are here today and gone tomorrow.
  • How did you arrive at the website? If it was in response an advert, did it create a sense of urgency such as offering something at a discount that is only available today? There is always a reason why someone wants you to make a decision quickly. Businesses wishing to establish themselves in the marketplace will be happy for you to make your own decision in your own time.
  • Has this business been involved in security incidents and loss of data? Information is often available about such events on the Internet and easy to find with search engines.
  • How secure is the website? Does the site use HTTP or HTTPS in its website address? Other factors, such as how password reminders work. If your password is sent to you as plain text by email, it demonstrates how they feel about your security.
  • Does the website have a privacy policy and information about the use of cookies?
  • Does the website clearly show how to contact the business, the registered address, trading address, contact telephone numbers and contact email addresses?
  • How much information does the site ask for while signing up? I have observed a significant increase in websites demanding more information than is needed. Please stop and think about why they need such information and be ready to walk away. National Insurance numbers, for example, are required only when dealing with HMRC and employment-related matters, so no other business has any legitimate purpose in requesting such information.

Being suspicious can be a healthy attitude to take. Avoid impulse-buying scenarios. Ask yourself, if you didn’t know you needed ‘this’ yesterday, do you need it right now? It won’t hurt to take your time, speak to other peoples, think about it more, sleep on it, and make a decision later.

Last year I wrote an article called ‘The Website Credibility Test’ which contains more information relating to this article.