Author: Robert Broxup

Reducing fraud with virtual cards

Robert Broxup

Avoiding untrustworthy vendors is sound advice, but it is not always straightforward to evaluate them ahead of making an online purchase for the first time. This article introduces virtual credit cards, the reasons for needing them, and how they work as a viable countermeasure to reduce or avoid fraud.

A virtual credit or debit card works in the following way:

  • New bank account – you first need to open a bank account that supports this feature to use virtual cards. This part of the process is the same as other bank accounts. Your existing account may already include such a feature.
  • Create a virtual card – using your bank’s online portal, create a virtual card. The virtual card will include the 16-digit card number, the expiry date and the Card Verification Value (CVV) number found on the back of physical cards. The difference is that your bank will create the virtual card instantly.
  • Make purchases – use the virtual card details to make online and telephone purchases without disclosing your physical card details
  • Delete your virtual card – deleting your virtual card will immediately block all further transactions. You can keep your card details for multiple transactions or delete your card once a single transaction is complete.

Reasons for implementing these countermeasures include:

  • Online accounts that don’t allow card removal – as customers, you should have the option and the right to delete your card details, but in practice, many vendors have not implemented this and refuse to cooperate if you ask for the removal of your details
  • Avoid subscription scams – some vendors have hidden terms and conditions that state that you are joining a club by making a purchase. Consequently, the vendor takes money from your bank account and adds it to your online vendor account, ready for future purchases. This type of purchase deviates from how people buy goods and services and, combined with the fact that very few people read terms and conditions on websites because they are too long and convoluted, this can catch people out. This kind of behaviour will show up when reading online reviews.
  • Stealth auto-renewal – vendors often keep hold of card details and set payments to renew automatically without informing their customers, either during the initial purchase or ahead of renewals
  • Reduced need to cancel physical bank cards – the option to create and delete virtual credit cards means that if anything untoward takes place involving your bank account, it will not be necessary to request a replacement card. Removal of virtual cards will eliminate the risk.
  • Free trials – many services offer free trials and require the use of a credit or debit card so they can take payment from your account at the end of the free period unless you choose to cancel the service. You must ensure that you are not legally obliged to make payments if you fail to cancel a service explicitly. Use of virtual cards for trial registration followed by immediate deletion will offer protection against vendors that:
    • Make it difficult to cancel services
    • Mislead you into believing you have cancelled a service
    • Don’t respond to customer support requests for cancellation
    • Refuse to let you remove your card details

Banks are unlikely to investigate issues if you have given your card details to a vendor and will likely tell you to speak to the vendor to resolve the problem. The outcome will depend on the overall credibility and trustworthiness of the vendor.

Other countermeasures include:

  • Looking for reviews online – vendors often have reviews and testimonials on their websites, third-party websites, and discussions on social media. Sadly, fake reviews are commonplace, so you can’t always trust what you read.
  • Looking for online complaints – if a vendor misbehaves, refuses to cooperate with their customers in resolving problems, customers lose money, or gets upset for any other reason, complaints will find their way to review websites and social media
  • Only having the money you need for the transaction in the account – works if your bank account doesn’t have any credit facilities attached to it, so you can never have a negative balance. The vendor can never take more than expected during the first transaction. Even with free trials, it is possible to have items added to your shopping basket by default or pre-selected checkboxes, including a surprise purchase.

Remember that when you give your credit or debit card details to a vendor, you have no control over how they store or use them.

Understanding the New Control Structure in ISO 27002:2022

Robert Broxup

Here are the changes to ISO27001 and ISO27002:

  • ISO 27002:2013 contains 114 controls spread across 14 domains. The 2022 version includes 93 controls spread across four control domains. The new version has all the existing controls, but many merged to reduce the quantity.
  • The following four control domains replace the 14 in ISO 27002:2013:
    • Organisational (37)
    • People (8)
    • Physical (14)
    • Technology (34)
  • ISO 27002:2022 includes 11 new controls:
    • Threat Intelligence
    • Information Security for Cloud Services
    • ICT readiness for business continuity
    • Physical security monitoring
    • Configuration Management
    • Information Deletion
    • Data Masking
    • Data Leakage Prevention
    • Monitoring Activities
    • Web Filtering
    • Secure Coding
  • Due to the control changes in ISO 27002 and the controls listed in Annexe A within ISO 27001, this section will need updating to fully align ISO 27001 with ISO 27002. There may be additional changes to ISO 27001, so it will require a careful review when formulating a transition plan.

These changes simplify the control set and remove significant overlaps between controls across multiple domains.

Post-Brexit VAT Due Diligence

Robert Broxup

As a result of Brexit and the expiry of the transition period, the European Commission Taxation and Customs VAT Information Exchange System (VIES) system (http://ec.europa.eu/taxation_customs/vies/) is no longer available to GB registered businesses.

The new system for UK-registered businesses is here – https://www.tax.service.gov.uk/check-vat-number/enter-vat-details

Although many businesses still ask for a copy of the VAT registration certificate as part of their supplier due diligence process, it is essential to remember that the certificate only shows that a VAT registration existed at a single point in time. Please consider the following alternatives:

  • Verify the VAT registration online as part of your invoice processing
  • Verify the VAT registration at periodic intervals throughout the relationship with the supplier
  • Use the online process while onboarding your supplier

The new HMRC service allows UK VAT-registered businesses to prove they have performed checks. However, this is not guaranteed to absolve companies of financial liability for any VAT paid and subsequently claimed, strengthening the need for increased vigilance. Businesses knowingly or recklessly participating in fraudulent VAT transactions can become jointly liable for the unpaid VAT.

You can report suspected VAT fraud here – https://www.gov.uk/report-vat-fraud

Mobile Number Hijacking

Robert Broxup

Many people don’t think much about their phone numbers. They feel replaceable, something you keep until you switch providers, upgrade a handset, or lose a SIM. But today, your number is more than just a way to call or text. It’s one of the master keys to your identity. Banks, email services, and social platforms use it to decide whether you are really you. Mobile number hijacking allows attackers to steal your number and use it as a gateway into your digital life. When it happens, it’s usually quick, silent, and devastating.

What is mobile number hijacking?

Mobile number hijacking occurs when someone persuades your provider to transfer your number to a SIM card under their control. The moment it works, your phone goes dead. Calls and texts stop reaching you and instead flow to the attacker, including the one-time passcodes banks and services send by SMS.

With your number, an attacker can:

  • Reset passwords for email, social media, and bank accounts.
  • Bypass two-factor authentication that relies on text messages.
  • Impersonate you to friends, family, or colleagues.
  • Drain money or harvest personal data before you realise what’s happened.

How does it happen?

Criminals prepare carefully:

  • Data gathering – Collecting personal details such as name, address, and date of birth from phishing, social media, or leaked databases.
  • Exploiting weak checks – Taking advantage of providers that still rely on simple, easy-to-fake identity questions. In some cases, insiders have assisted.
  • Impersonation – Contacting the provider, posing as you, and requesting that the number be moved to a new SIM.

Where criminals get your information

To make impersonation believable, attackers first gather personal details that let them sound convincing. They assemble fragments of data from public, commercial, and illicit sources until they can pass themselves off as you.

  • Data brokers collect, package, and sell information found in public records. Scammers can buy your phone number from these companies.
  • Public social media profiles. Many social media and other sites ask for a phone number when signing up, with some leaving that information publicly available.
  • Fraudsters can send fake emails asking you to confirm personal information and contact details or pressuring you into calling them.
  • Phone scammers use tools that automatically call random or sequential phone numbers, hoping that unsuspecting victims will pick up.
  • If you’ve been the victim of a scam in the past, you may be on a target list that scammers share with each other.
  • Spyware and other malware infections. Hackers can trick you into downloading software that allows them to spy on you or steal personal information, such as your phone number.
  • Hacking unsecured Wi-Fi networks. If you enter your phone number on a website while using public Wi-Fi, hackers may be able to spy on you or intercept the data.
  • Stolen mail. Some scammers prefer old school methods, such as mail theft, to collect sensitive personal details and contact information.

Once successful, speed is the weapon. Accounts can be reset and funds transferred within minutes.

Warning signs

You can’t always spot an attack in advance, but watch for:

  • Sudden loss of mobile signal.
  • Unexpected account lockouts.
  • Password reset messages or login alerts you didn’t trigger.
  • Fraud warnings or unrecognised transactions.

How to protect yourself

You can’t make yourself completely immune, but you can make attacks harder to pull off:

  • Share less personal information. Limit what you post publicly, especially birthdays, addresses, and work history.
  • Use strong, unique passwords. A password manager helps avoid reuse across accounts.
  • Switch to app-based authentication. Apps like Microsoft Authenticator or Google Authenticator generate codes directly on your device, unaffected by SIM hijacking. Microsoft Authenticator also supports secure passwordless logins.
  • Stay alert to phishing. Treat rushed or unusual requests for personal details with suspicion.
  • Monitor your accounts. Review bank statements, email logins, and cloud activity regularly.

What to do if you suspect hijacking

If your number is hijacked, speed matters:

  • Contact your provider immediately to block the fraudulent SIM and recover your number.
  • Secure your accounts by changing passwords and moving away from SMS-based two-factor authentication.
  • Notify your bank and credit providers so they can monitor for fraud.
  • Check connected services such as email and cloud accounts for unrecognised devices and revoke access.

You are not powerless

Your mobile number may feel disposable, but it is one of the most valuable keys to your identity. If a criminal hijacks it, they don’t just take your calls, they can take over your online life. By switching to authenticator apps, adding extra security with your provider, and staying alert to phishing, you can make hijacking far harder to pull off.

Most people never realise how much depends on that small piece of plastic until it’s too late. Think of your number like your wallet, passport, or house keys. Protect it with the same care, because losing it could unlock far more than you expect.